diff options
| author | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-24 16:23:27 +0100 |
|---|---|---|
| committer | Shawn Rutledge <shawn.rutledge@qt.io> | 2020-02-28 09:31:59 +0100 |
| commit | 7447e2b337f12b4d04935d0f30fc673e4327d5a0 (patch) | |
| tree | e6dfaac556c0e2ccb745bd9d13145b2ed3690f1d /src/gui | |
| parent | eaf7f572bfbcb33b106097923f4e0efdd9c683fc (diff) | |
QTextMarkdownImporter: fix use after free; add fuzz-generated tests
It was possible to end up with a dangling pointer in m_listStack.
This is now avoided by using QPointer and doing nullptr checks before
accessing any QTextList pointer stored there.
We have 2 specimens of garbage that caused crashes before; now they don't.
But only fuzz20450 triggered the dangling pointer in the list stack.
The crash caused by fuzz20580 was fixed by updating md4c from upstream:
4b0fc030777cd541604f5ebaaad47a2b76d61ff9
Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38
Reviewed-by: Robert Loehning <robert.loehning@qt.io>
Diffstat (limited to 'src/gui')
| -rw-r--r-- | src/gui/text/qtextmarkdownimporter.cpp | 7 | ||||
| -rw-r--r-- | src/gui/text/qtextmarkdownimporter_p.h | 2 |
2 files changed, 6 insertions, 3 deletions
diff --git a/src/gui/text/qtextmarkdownimporter.cpp b/src/gui/text/qtextmarkdownimporter.cpp index 7e18a10895..5e75e7816b 100644 --- a/src/gui/text/qtextmarkdownimporter.cpp +++ b/src/gui/text/qtextmarkdownimporter.cpp @@ -577,7 +577,10 @@ void QTextMarkdownImporter::insertBlock() QTextBlockFormat blockFormat; if (!m_listStack.isEmpty() && !m_needsInsertList && m_listItem) { QTextList *list = m_listStack.top(); - blockFormat = list->item(list->count() - 1).blockFormat(); + if (list) + blockFormat = list->item(list->count() - 1).blockFormat(); + else + qWarning() << "attempted to insert into a list that no longer exists"; } if (m_blockQuoteDepth) { blockFormat.setProperty(QTextFormat::BlockQuoteLevel, m_blockQuoteDepth); @@ -607,7 +610,7 @@ void QTextMarkdownImporter::insertBlock() } if (m_needsInsertList) { m_listStack.push(m_cursor->createList(m_listFormat)); - } else if (!m_listStack.isEmpty() && m_listItem) { + } else if (!m_listStack.isEmpty() && m_listItem && m_listStack.top()) { m_listStack.top()->add(m_cursor->block()); } m_needsInsertList = false; diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h index f450da5eb3..e3b4bcd0f2 100644 --- a/src/gui/text/qtextmarkdownimporter_p.h +++ b/src/gui/text/qtextmarkdownimporter_p.h @@ -113,7 +113,7 @@ private: #endif QString m_blockCodeLanguage; QVector<int> m_nonEmptyTableCells; // in the current row - QStack<QTextList *> m_listStack; + QStack<QPointer<QTextList>> m_listStack; QStack<QTextCharFormat> m_spanFormatStack; QFont m_monoFont; QPalette m_palette; |