From 75097c77822f38dfed883da7e6c30d108fb5b1ea Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Sun, 23 Aug 2020 19:27:11 +0200
Subject: Make the canConvertMetaObject method safe

This triggered a crash in QtQml, where an manually created
metattype interface set the PointerToQObject flag to true while
not providing a metaobject.

Change-Id: I206fb9655058a1e8a2d04e44186b05db33358338
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/corelib/kernel/qmetatype.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src/corelib/kernel')

diff --git a/src/corelib/kernel/qmetatype.cpp b/src/corelib/kernel/qmetatype.cpp
index 20d5c9130f..a87b98b12d 100644
--- a/src/corelib/kernel/qmetatype.cpp
+++ b/src/corelib/kernel/qmetatype.cpp
@@ -1968,9 +1968,10 @@ static bool convertToAssociativeIterable(QMetaType fromType, const void *from, v
 #ifndef QT_BOOTSTRAPPED
 static bool canConvertMetaObject(QMetaType fromType, QMetaType toType)
 {
-    if ((fromType.flags() & QMetaType::PointerToQObject) && (toType.flags() & QMetaType::PointerToQObject)) {
-        return fromType.metaObject()->inherits(toType.metaObject()) ||
-                toType.metaObject()->inherits(fromType.metaObject());
+    const QMetaObject *f = fromType.metaObject();
+    const QMetaObject *t = toType.metaObject();
+    if (f && t) {
+        return f->inherits(t) || (t->inherits(f));
     }
     return false;
 }
-- 
cgit v1.2.3