From 9d0bd169bbf950cca3705a8c855c82e236e928e8 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Fri, 25 Jun 2021 23:54:05 +0200
Subject: QVarLengthArray: fix aliasing error in insert(it, n, v)

Taking the copy after the resize is completely pointless: the copy is
there to ensure that `t`, being a reference potentially aliasing an
element in [begin(), end()[ before the resize(), isn't invalidated by
the resize(), so it must be taken before resize().

Add a comment so the next rewrite doesn't cause this to be mixed up
again.

[ChangeLog][QtCore][QVarLengthArray] Fixed an aliasing bug affecting
insertions of objects aliasing existing elements.

Change-Id: I26bc449fa99bf8d09a19147a12a69ac4314cc61d
Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
(cherry picked from commit 6e57e41f9aef5ccfa122c10bc6253d47dafd93d2)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/tools/qvarlengtharray.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/corelib/tools/qvarlengtharray.h b/src/corelib/tools/qvarlengtharray.h
index 6a99602153..0cd811825c 100644
--- a/src/corelib/tools/qvarlengtharray.h
+++ b/src/corelib/tools/qvarlengtharray.h
@@ -633,8 +633,8 @@ Q_OUTOFLINE_TEMPLATE typename QVarLengthArray<T, Prealloc>::iterator QVarLengthA
 
     qsizetype offset = qsizetype(before - ptr);
     if (n != 0) {
+        const T copy(t); // `t` could alias an element in [begin(), end()[
         resize(s + n);
-        const T copy(t);
         if (!QTypeInfo<T>::isRelocatable) {
             T *b = ptr + offset;
             T *j = ptr + s;
-- 
cgit v1.2.3