From bbb440bab261fecc7c9baf779dadf36659d3cf6f Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Fri, 20 May 2016 06:28:26 +0200
Subject: QJsonValue: fix use-after-free in assignment operator

The assignment operator of a String QJsonValue that holds
the only remaining reference to the QString::Data block
was freeing the block before obtaining its own reference,
leading to a use-after-free in the case where *this was
passed as 'other' (self-assignment).

Fixed by reformulating the assignment operator in terms
of the copy ctor, using the copy-swap idiom, with the
twist that QJsonValue doesn't, yet, have a swap member
function, so we use three per-member qSwap()s.

Change-Id: I3c5ccc4d9f32c7593af3fc6a0edbf12b7feb1391
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
---
 src/corelib/json/qjsonvalue.cpp | 24 +++++-------------------
 1 file changed, 5 insertions(+), 19 deletions(-)

(limited to 'src/corelib')

diff --git a/src/corelib/json/qjsonvalue.cpp b/src/corelib/json/qjsonvalue.cpp
index 76e5ae562f..c9f3ec35fe 100644
--- a/src/corelib/json/qjsonvalue.cpp
+++ b/src/corelib/json/qjsonvalue.cpp
@@ -269,25 +269,11 @@ QJsonValue::QJsonValue(const QJsonValue &other)
  */
 QJsonValue &QJsonValue::operator =(const QJsonValue &other)
 {
-    if (t == String && stringData && !stringData->ref.deref())
-        free(stringData);
-
-    t = other.t;
-    dbl = other.dbl;
-
-    if (d != other.d) {
-
-        if (d && !d->ref.deref())
-            delete d;
-        d = other.d;
-        if (d)
-            d->ref.ref();
-
-    }
-
-    if (t == String && stringData)
-        stringData->ref.ref();
-
+    QJsonValue copy(other);
+    // swap(copy);
+    qSwap(dbl, copy.dbl);
+    qSwap(d,   copy.d);
+    qSwap(t,   copy.t);
     return *this;
 }
 
-- 
cgit v1.2.3