diff options
| author | Marc Mutz <marc.mutz@kdab.com> | 2016-09-21 10:01:01 +0200 |
|---|---|---|
| committer | Marc Mutz <marc.mutz@kdab.com> | 2016-09-22 15:25:14 +0000 |
| commit | 622681eb508ddb1bd51a39b6887beddb43218504 (patch) | |
| tree | 28f22e98d977dc0260fd4703d0848622ab36cee7 /src/widgets | |
| parent | f6cb8b1af8f15a06898c5c71f81c64779d9478f6 (diff) | |
QGraphicsScene: Fix UB (invalid cast) in Private::ungrabMouse()
Found by UBSan:
qgraphicsscene.cpp:1000:40: runtime error: downcast of address 0x2af0d4072b00 which does not point to an object of type 'QGraphicsWidget'
0x2af0d4072b00: note: object is of type 'QGraphicsObject'
00 00 00 00 30 f5 26 bd f0 2a 00 00 90 e1 05 d4 f0 2a 00 00 a8 e3 26 bd f0 2a 00 00 d0 33 0f d4
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'QGraphicsObject'
#0 0x2af0badf1305 in QGraphicsScenePrivate::ungrabMouse(QGraphicsItem*, bool) qgraphicsscene.cpp:1000
#1 0x2af0bae0fc24 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:692
#2 0x2af0bacd21f6 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555
#3 0x2af0bacd4c48 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
#4 0x2af0baf7e99c in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
#5 0x2af0baf7f8c0 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:282
#6 0x2af0badcee34 in QGraphicsScene::clear() qgraphicsscene.cpp:2388
#7 0x2af0badcf3fc in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682
#8 0x4b26f0 in tst_QGraphicsWidget::popupMouseGrabber() tst_qgraphicswidget.cpp:47
Fix by using the existing graphics widget pointer,
determined a line above to be equivalent to 'item',
for the removePopup() function call instead of
casting 'item' itself.
The rest of removePopup() appears to be well-behaved
and doesn't trigger any more UBSan errors, so it was
indeed just the cast which was undefined, no member
calls.
Change-Id: Ia54da90262a7a02f527914a90b0208be0ffc0f0b
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/widgets')
| -rw-r--r-- | src/widgets/graphicsview/qgraphicsscene.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/widgets/graphicsview/qgraphicsscene.cpp b/src/widgets/graphicsview/qgraphicsscene.cpp index 9e0be0c280..ebc521eb00 100644 --- a/src/widgets/graphicsview/qgraphicsscene.cpp +++ b/src/widgets/graphicsview/qgraphicsscene.cpp @@ -987,7 +987,7 @@ void QGraphicsScenePrivate::ungrabMouse(QGraphicsItem *item, bool itemIsDying) // If the item is a popup, go via removePopup to ensure state // consistency and that it gets hidden correctly - beware that // removePopup() reenters this function to continue removing the grab. - removePopup((QGraphicsWidget *)item, itemIsDying); + removePopup(popupWidgets.constLast(), itemIsDying); return; } |