From 88b6abcebf29b455438d8da7db9fd5aa1aed2bf5 Mon Sep 17 00:00:00 2001
From: Olivier Goffart <ogoffart@woboq.com>
Date: Tue, 18 Apr 2017 17:01:22 +0200
Subject: Fix UB in QStandardItemModel

The destructor of QStandardItem needs to access the model. So we need to
destroy them before the QStrandardItemModel gets destroyed.
In the destructor of the private, it is already too late because we are
already in the ~QObject

Since the destructor of QStandardItemPrivate is now empty, remove it
completely. There is no need for QStandardItemPrivate to have a virtual
table as there are no class that inherit from it.

Change-Id: Id6639e21f277f1c4e85c3f9bc720b4f29eb16c2c
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
---
 src/gui/itemmodels/qstandarditemmodel.cpp | 34 +++++++++++++------------------
 src/gui/itemmodels/qstandarditemmodel_p.h |  1 -
 2 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/src/gui/itemmodels/qstandarditemmodel.cpp b/src/gui/itemmodels/qstandarditemmodel.cpp
index e965045524..1d6e2924b1 100644
--- a/src/gui/itemmodels/qstandarditemmodel.cpp
+++ b/src/gui/itemmodels/qstandarditemmodel.cpp
@@ -88,23 +88,6 @@ public:
     }
 };
 
-/*!
-  \internal
-*/
-QStandardItemPrivate::~QStandardItemPrivate()
-{
-    QVector<QStandardItem*>::const_iterator it;
-    for (it = children.constBegin(); it != children.constEnd(); ++it) {
-        QStandardItem *child = *it;
-        if (child)
-            child->d_func()->setModel(0);
-        delete child;
-    }
-    children.clear();
-    if (parent && model)
-        parent->d_func()->childDeleted(q_func());
-}
-
 /*!
   \internal
 */
@@ -340,9 +323,6 @@ QStandardItemModelPrivate::QStandardItemModelPrivate()
 */
 QStandardItemModelPrivate::~QStandardItemModelPrivate()
 {
-    delete itemPrototype;
-    qDeleteAll(columnHeaderItems);
-    qDeleteAll(rowHeaderItems);
 }
 
 /*!
@@ -780,6 +760,15 @@ QStandardItem &QStandardItem::operator=(const QStandardItem &other)
 */
 QStandardItem::~QStandardItem()
 {
+    Q_D(QStandardItem);
+    for (QStandardItem *child : qAsConst(d->children)) {
+        if (child)
+            child->d_func()->setModel(0);
+        delete child;
+    }
+    d->children.clear();
+    if (d->parent && d->model)
+        d->parent->d_func()->childDeleted(this);
 }
 
 /*!
@@ -2116,6 +2105,11 @@ QStandardItemModel::QStandardItemModel(QStandardItemModelPrivate &dd, QObject *p
 */
 QStandardItemModel::~QStandardItemModel()
 {
+    Q_D(QStandardItemModel);
+    delete d->itemPrototype;
+    qDeleteAll(d->columnHeaderItems);
+    qDeleteAll(d->rowHeaderItems);
+    d->root.reset();
 }
 
 /*!
diff --git a/src/gui/itemmodels/qstandarditemmodel_p.h b/src/gui/itemmodels/qstandarditemmodel_p.h
index fbba93b93a..516cce8613 100644
--- a/src/gui/itemmodels/qstandarditemmodel_p.h
+++ b/src/gui/itemmodels/qstandarditemmodel_p.h
@@ -105,7 +105,6 @@ public:
           q_ptr(0),
           lastIndexOf(2)
         { }
-    virtual ~QStandardItemPrivate();
 
     inline int childIndex(int row, int column) const {
         if ((row < 0) || (column < 0)
-- 
cgit v1.2.3