From 0c4c841ce8cd3a3b8ebc636dd41f7c7a2011991d Mon Sep 17 00:00:00 2001
From: Volker Krause <volker.krause@kdab.com>
Date: Wed, 21 Jan 2015 22:20:26 +0100
Subject: Fix invalid memory access when a slot deletes the sender.

Only happens with active signal spy callbacks. The Connection object can
be deleted when returning from the slot here, so accessing it for the
method index for the signal end callback will access invalid memory.

Change-Id: I44643a171863c35a94e7a5ffa096fcaac5abd509
Reviewed-by: Milian Wolff <milian.wolff@kdab.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
---
 src/corelib/kernel/qobject.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/corelib/kernel')

diff --git a/src/corelib/kernel/qobject.cpp b/src/corelib/kernel/qobject.cpp
index a1a04b3ce5..f2ceb7081c 100644
--- a/src/corelib/kernel/qobject.cpp
+++ b/src/corelib/kernel/qobject.cpp
@@ -3710,13 +3710,14 @@ void QMetaObject::activate(QObject *sender, int signalOffset, int local_signal_i
             } else if (callFunction && c->method_offset <= receiver->metaObject()->methodOffset()) {
                 //we compare the vtable to make sure we are not in the destructor of the object.
                 locker.unlock();
+                const int methodIndex = c->method();
                 if (qt_signal_spy_callback_set.slot_begin_callback != 0)
-                    qt_signal_spy_callback_set.slot_begin_callback(receiver, c->method(), argv ? argv : empty_argv);
+                    qt_signal_spy_callback_set.slot_begin_callback(receiver, methodIndex, argv ? argv : empty_argv);
 
                 callFunction(receiver, QMetaObject::InvokeMetaMethod, method_relative, argv ? argv : empty_argv);
 
                 if (qt_signal_spy_callback_set.slot_end_callback != 0)
-                    qt_signal_spy_callback_set.slot_end_callback(receiver, c->method());
+                    qt_signal_spy_callback_set.slot_end_callback(receiver, methodIndex);
                 locker.relock();
             } else {
                 const int method = method_relative + c->method_offset;
-- 
cgit v1.2.3