Erase password data on QLineEdit destruction

The contents of a deleted QString can still remain in memory
and can be accessible by tools that read the raw process memory.
This means that a QLineEdit that serves as a password input field
can leak the password after it is destroyed.

With this patch, the contents of the m_text string member variable
will be zeroed-out before the m_text is destructed. This is done
only in the cases when the QLineEdit serves as a password field.

[ChangeLog][QtWidgets][QWidgetLineControl/security] Zero-out the string
that contains a password entered into the QLineEdit

Change-Id: I8f88f952244bf8a0399c14acf0869439ca0a60ca
Reviewed-by: Luca Beldi <v.ronin@yahoo.it>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>

1 files changed, 6 insertions, 0 deletions

diff --git a/src/widgets/widgets/qwidgetlinecontrol_p.h b/src/widgets/widgets/qwidgetlinecontrol_p.h
index 3e33bc0605..b730b415f0 100644
--- a/src/widgets/widgets/qwidgetlinecontrol_p.h
+++ b/src/widgets/widgets/qwidgetlinecontrol_p.h
@@ -110,6 +110,12 @@ public:
 
     ~QWidgetLineControl()
     {
+        // If this control is used for password input, we don't want the
+        // password data to stay in the process memory, therefore we need
+        // to zero it out
+        if (m_echoMode != QLineEdit::Normal)
+            m_text.fill('\0');
+
         delete [] m_maskData;
     }