path: root/src/gui/text/qtextmarkdownimporter_p.h
diff options
authorShawn Rutledge <>2020-02-24 16:23:27 +0100
committerShawn Rutledge <>2020-02-28 09:31:59 +0100
commit7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch)
treee6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /src/gui/text/qtextmarkdownimporter_p.h
parenteaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff)
QTextMarkdownImporter: fix use after free; add fuzz-generated tests
It was possible to end up with a dangling pointer in m_listStack. This is now avoided by using QPointer and doing nullptr checks before accessing any QTextList pointer stored there. We have 2 specimens of garbage that caused crashes before; now they don't. But only fuzz20450 triggered the dangling pointer in the list stack. The crash caused by fuzz20580 was fixed by updating md4c from upstream: 4b0fc030777cd541604f5ebaaad47a2b76d61ff9 Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38 Reviewed-by: Robert Loehning <>
Diffstat (limited to 'src/gui/text/qtextmarkdownimporter_p.h')
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h
index f450da5eb3..e3b4bcd0f2 100644
--- a/src/gui/text/qtextmarkdownimporter_p.h
+++ b/src/gui/text/qtextmarkdownimporter_p.h
@@ -113,7 +113,7 @@ private:
QString m_blockCodeLanguage;
QVector<int> m_nonEmptyTableCells; // in the current row
- QStack<QTextList *> m_listStack;
+ QStack<QPointer<QTextList>> m_listStack;
QStack<QTextCharFormat> m_spanFormatStack;
QFont m_monoFont;
QPalette m_palette;