summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMarc Mutz <marc.mutz@kdab.com>2016-09-21 10:01:01 +0200
committerMarc Mutz <marc.mutz@kdab.com>2016-09-22 15:25:14 +0000
commit622681eb508ddb1bd51a39b6887beddb43218504 (patch)
tree28f22e98d977dc0260fd4703d0848622ab36cee7 /src
parentf6cb8b1af8f15a06898c5c71f81c64779d9478f6 (diff)
QGraphicsScene: Fix UB (invalid cast) in Private::ungrabMouse()
Found by UBSan: qgraphicsscene.cpp:1000:40: runtime error: downcast of address 0x2af0d4072b00 which does not point to an object of type 'QGraphicsWidget' 0x2af0d4072b00: note: object is of type 'QGraphicsObject' 00 00 00 00 30 f5 26 bd f0 2a 00 00 90 e1 05 d4 f0 2a 00 00 a8 e3 26 bd f0 2a 00 00 d0 33 0f d4 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QGraphicsObject' #0 0x2af0badf1305 in QGraphicsScenePrivate::ungrabMouse(QGraphicsItem*, bool) qgraphicsscene.cpp:1000 #1 0x2af0bae0fc24 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:692 #2 0x2af0bacd21f6 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555 #3 0x2af0bacd4c48 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766 #4 0x2af0baf7e99c in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231 #5 0x2af0baf7f8c0 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:282 #6 0x2af0badcee34 in QGraphicsScene::clear() qgraphicsscene.cpp:2388 #7 0x2af0badcf3fc in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682 #8 0x4b26f0 in tst_QGraphicsWidget::popupMouseGrabber() tst_qgraphicswidget.cpp:47 Fix by using the existing graphics widget pointer, determined a line above to be equivalent to 'item', for the removePopup() function call instead of casting 'item' itself. The rest of removePopup() appears to be well-behaved and doesn't trigger any more UBSan errors, so it was indeed just the cast which was undefined, no member calls. Change-Id: Ia54da90262a7a02f527914a90b0208be0ffc0f0b Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
-rw-r--r--src/widgets/graphicsview/qgraphicsscene.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/widgets/graphicsview/qgraphicsscene.cpp b/src/widgets/graphicsview/qgraphicsscene.cpp
index 9e0be0c280..ebc521eb00 100644
--- a/src/widgets/graphicsview/qgraphicsscene.cpp
+++ b/src/widgets/graphicsview/qgraphicsscene.cpp
@@ -987,7 +987,7 @@ void QGraphicsScenePrivate::ungrabMouse(QGraphicsItem *item, bool itemIsDying)
// If the item is a popup, go via removePopup to ensure state
// consistency and that it gets hidden correctly - beware that
// removePopup() reenters this function to continue removing the grab.
- removePopup((QGraphicsWidget *)item, itemIsDying);
+ removePopup(popupWidgets.constLast(), itemIsDying);
return;
}