diff options
| author | Marc Mutz <marc.mutz@kdab.com> | 2016-09-20 15:32:17 +0200 |
|---|---|---|
| committer | Marc Mutz <marc.mutz@kdab.com> | 2016-09-22 15:25:11 +0000 |
| commit | f6cb8b1af8f15a06898c5c71f81c64779d9478f6 (patch) | |
| tree | 24031742d01ef0b15ff778e11cd4113ac33700dd /src/widgets | |
| parent | abe8b4ab9b5243b477c72f3e900d4f6cca79b5c5 (diff) | |
QGraphicsScene: Fix UB (invalid cast) in removeItemHelper()
The variable 'item' may or may not contain a QGraphicsObject
pointer. Using static_cast on an 'item' that isn't, is UB.
Found by UBSan (which failed to print a message, but the
function names gave it away):
[...]
#6 <signal handler called>
#7 0x00002b18813bec05 in __ubsan::checkDynamicType(void*, void*, unsigned long) () from /opt/gcc/trunk/lib64/libubsan.so.0
#8 0x00002b18813be0c3 in HandleDynamicTypeCacheMiss(__ubsan::DynamicTypeCacheMissData*, unsigned long, unsigned long, __ubsan::ReportOptions) () from /opt/gcc/trunk/lib64/libubsan.so.0
#9 0x00002b18813be783 in __ubsan_handle_dynamic_type_cache_miss () from /opt/gcc/trunk/lib64/libubsan.so.0
#10 0x00002b1875e71d4d in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:720
#11 0x00002b1875e731ef in QGraphicsScene::removeItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2929
#12 0x00002b1875e6d05f in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:604
#13 0x00002b1875e731ef in QGraphicsScene::removeItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2929
#14 0x00002b1875e73e68 in QGraphicsScene::addItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2505
#15 0x000000000043d34d in tst_QGraphicsWidget::fontPropagationSceneChange() () at /home/marc/Qt/qt5/qtbase/tests/auto/widgets/graphicsview/qgraphicswidget/tst_qgraphicswidget.cpp:941
[...]
Fix by using QGraphicsItem::toGraphicsObject().
Yes, it's that simple...
Change-Id: If04d1b62603cfd808cc7b64946da536c221a0c11
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Diffstat (limited to 'src/widgets')
| -rw-r--r-- | src/widgets/graphicsview/qgraphicsscene.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/widgets/graphicsview/qgraphicsscene.cpp b/src/widgets/graphicsview/qgraphicsscene.cpp index ad58aeb488..9e0be0c280 100644 --- a/src/widgets/graphicsview/qgraphicsscene.cpp +++ b/src/widgets/graphicsview/qgraphicsscene.cpp @@ -710,7 +710,7 @@ void QGraphicsScenePrivate::removeItemHelper(QGraphicsItem *item) ++it; } - QGraphicsObject *dummy = static_cast<QGraphicsObject *>(item); + QGraphicsObject *dummy = item->toGraphicsObject(); cachedTargetItems.removeOne(dummy); cachedItemGestures.remove(dummy); cachedAlreadyDeliveredGestures.remove(dummy); |