From 720e243d88e352276cfbbe0b13fa4860fb020b29 Mon Sep 17 00:00:00 2001 From: Eskil Abrahamsen Blomfeldt Date: Thu, 20 Sep 2018 12:07:37 +0200 Subject: Fix crash when detaching dangling QTextCursor When a QTextCursor survives its QTextDocument, the internal QTextDocumentPrivate pointer is set to null. There are checks for this in all the QTextCursor functions to skip out early if such a QTextCursor is used. However, when executing the "if (d->priv)" condition in setters, this will access the non-const operator->() of QSharedDataPointer and detach the QTextCursorPrivate, and in the copy constructor of this class, there was an unprotected call into priv->addCursor(). In theory, we could cast all the checks for d->priv to avoid detaching, but in practice this doesn't matter, since the setters will typically detach anyway later on. [ChangeLog][QtGui][Text] Fixed a crash that can happen when calling a setter on a QTextCursor after its QTextDocument has been deleted. Task-number: QTBUG-70293 Change-Id: I8f6dc5bb344d1d824f673c0c220b68b7fee237a8 Reviewed-by: Konstantin Ritt Reviewed-by: Simon Hausmann --- src/gui/text/qtextcursor.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/gui/text/qtextcursor.cpp') diff --git a/src/gui/text/qtextcursor.cpp b/src/gui/text/qtextcursor.cpp index f32c31d18e..af8fcf369c 100644 --- a/src/gui/text/qtextcursor.cpp +++ b/src/gui/text/qtextcursor.cpp @@ -80,7 +80,8 @@ QTextCursorPrivate::QTextCursorPrivate(const QTextCursorPrivate &rhs) visualNavigation = rhs.visualNavigation; keepPositionOnInsert = rhs.keepPositionOnInsert; changed = rhs.changed; - priv->addCursor(this); + if (priv != nullptr) + priv->addCursor(this); } QTextCursorPrivate::~QTextCursorPrivate() -- cgit v1.2.3