path: root/src
diff options
authorThiago Macieira <>2017-04-07 13:12:05 -0700
committerThiago Macieira <>2017-04-09 17:06:41 +0000
commit75cdf654bcc192ba73a8834e507583a59140e7e4 (patch)
tree602253f0aa7884b7e5b4ca952afd0e84d678f31d /src
parent07bd5a90a3dccaa31940e3b1a78069f55e25405a (diff)
QMap: fix UB (invalid cast) in QMapData::end()
The end() pointer, like in all other containers, is a sentinel value that must never be dereferenced. But unlike array-based containers, end() in QMap is not "last element plus one", but points to a base class of Node, not a full Node. Therefore, the casting from QMapNodeBase to QMapNode must not be a static_cast, reinterpret_cast is required. libstdc++-v3's red-black tree had the exact same problem: Change-Id: I43f05fedf0b44314a2dafffd14b33697861ae589 Reviewed-by: Marc Mutz <>
Diffstat (limited to 'src')
1 files changed, 4 insertions, 2 deletions
diff --git a/src/corelib/tools/qmap.h b/src/corelib/tools/qmap.h
index 3f4f034b4e..da77ba4458 100644
--- a/src/corelib/tools/qmap.h
+++ b/src/corelib/tools/qmap.h
@@ -209,8 +209,10 @@ struct QMapData : public QMapDataBase
Node *root() const { return static_cast<Node *>(header.left); }
- const Node *end() const { return static_cast<const Node *>(&header); }
- Node *end() { return static_cast<Node *>(&header); }
+ // using reinterpret_cast because QMapDataBase::header is not
+ // actually a QMapNode.
+ const Node *end() const { return reinterpret_cast<const Node *>(&header); }
+ Node *end() { return reinterpret_cast<Node *>(&header); }
const Node *begin() const { if (root()) return static_cast<const Node*>(mostLeftNode); return end(); }
Node *begin() { if (root()) return static_cast<Node*>(mostLeftNode); return end(); }