Fix bug when destruction fields in QWizard

Maintain the consistency of QWizardPrivate's two members: QVector<QWizardField> fields; QMap<QString, int> fieldIndexMap; during and after calls to QWizardPrivate's void _q_handleFieldObjectDestroyed(QObject *) member function. The failure to maintain this consistency caused an out of bounds access and core dump in QWizard's field(const QString &name) member function. QWizard's field(const QString &name) member function expects the values in the QMap fieldIndexMap to be indexes into the QVector fields. Prior to this change _q_handleFieldObjectDestroyed only removed the appropriate entry from the map and erased it from the vector. It did not decrement by one all the indexes greater than the index that was removed from the map and erased from the vector in the rest of the map. For example ... So if initially have the following mapping ... "field0" -> 0, "field1" -> 1, and "field2" -> 2 with fields of size 3. After destruction of "field1" have ... "field0" -> 0, and "field2" -> 2 with fields of size 2. Now attempts to look up "field2" using QWizard::field will have an out of bounds error and possibly core dump or trigger an internal Qt assert because an attempt to access this->fields[2] will be made. It should be accessing this->fields[1], but does not because the map is no longer consistent with the vector. This change adds a decrement by one for all the indexes greater than the index that was removed from the map and erased from the vector. Task-number: QTBUG-25691 Change-Id: Ia2a41027628a65faec4ecdd5da235ddd19746a57 Reviewed-by: Shane Kearns <shane.kearns@accenture.com> Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
author: Carl Schumann <schumann@fnal.gov> 2012-05-11 13:40:21 -0500
committer: Qt by Nokia <qt-info@nokia.com> 2012-05-16 22:03:30 +0200
commit: a70b8d407e1ca46e5dc208580534feee7ddfe51a (patch)
tree: a83d1834cdc9caf40713897df4344123d4435844 /src/widgets/dialogs/qwizard.cpp
parent: 279562172d2e998e910d82599255cb04b54df823 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/src/widgets/dialogs/qwizard.cpp b/src/widgets/dialogs/qwizard.cpp
index 36327741c8..740ac1d387 100644
--- a/src/widgets/dialogs/qwizard.cpp
+++ b/src/widgets/dialogs/qwizard.cpp
@@ -1704,16 +1704,29 @@ void QWizardPrivate::_q_updateButtonStates()
 
 void QWizardPrivate::_q_handleFieldObjectDestroyed(QObject *object)
 {
+    int destroyed_index = -1;
     QVector<QWizardField>::iterator it = fields.begin();
     while (it != fields.end()) {
         const QWizardField &field = *it;
         if (field.object == object) {
+            destroyed_index = fieldIndexMap.value(field.name, -1);
             fieldIndexMap.remove(field.name);
             it = fields.erase(it);
         } else {
             ++it;
         }
     }
+    if (destroyed_index != -1) {
+        QMap<QString, int>::iterator it2 = fieldIndexMap.begin();
+        while (it2 != fieldIndexMap.end()) {
+            int index = it2.value();
+            if (index > destroyed_index) {
+                QString field_name = it2.key();
+                fieldIndexMap.insert(field_name, index-1);
+            }
+            ++it2;
+        }
+    }
 }
 
 void QWizardPrivate::setStyle(QStyle *style)
author	Carl Schumann <schumann@fnal.gov>	2012-05-11 13:40:21 -0500
committer	Qt by Nokia <qt-info@nokia.com>	2012-05-16 22:03:30 +0200
commit	a70b8d407e1ca46e5dc208580534feee7ddfe51a (patch)
tree	a83d1834cdc9caf40713897df4344123d4435844 /src/widgets/dialogs/qwizard.cpp
parent	279562172d2e998e910d82599255cb04b54df823 (diff)