From 79e0effead13f60676bb5170fe92615d981827e7 Mon Sep 17 00:00:00 2001 From: Eskil Abrahamsen Blomfeldt Date: Wed, 7 Aug 2019 15:25:49 +0200 Subject: Fix crash in QTextDocument::clearUndoRedoStacks() When calling QTextDocument::clearUndoRedoStacks() with UndoStack, there were two bugs: The first was that we were retrieving the item at "undoState" and deleting this. This is actually the upper limit of the for loop. If the stack does not contain any redos, then it would be == undoStack.size() and we would assert. If there were redos, then we would delete the item at undoState multiple times (actually undoState times). In addition, when the loop exited, we first removed the dangling pointers using remove() and then there was a weird resize() to the new size minus the old undoState. This would either assert because we tried to resize to a negative number, or it would arbitrarily remove items from the stack. [ChangeLog][QtGui][Text] Fixed a crash bug in QTextDocument::clearUndoRedoStacks(QTextDocument::UndoStack). Task-number: QTBUG-69546 Change-Id: I8a93e828ec27970763a2756071fa0b01678d2dcd Reviewed-by: Simon Hausmann Reviewed-by: Konstantin Ritt --- src/gui/text/qtextdocument_p.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/gui/text/qtextdocument_p.cpp') diff --git a/src/gui/text/qtextdocument_p.cpp b/src/gui/text/qtextdocument_p.cpp index 66e038122c..059e665d12 100644 --- a/src/gui/text/qtextdocument_p.cpp +++ b/src/gui/text/qtextdocument_p.cpp @@ -1103,12 +1103,11 @@ void QTextDocumentPrivate::clearUndoRedoStacks(QTextDocument::Stacks stacksToCle bool redoCommandsAvailable = undoState != undoStack.size(); if (stacksToClear == QTextDocument::UndoStack && undoCommandsAvailable) { for (int i = 0; i < undoState; ++i) { - QTextUndoCommand c = undoStack.at(undoState); + QTextUndoCommand c = undoStack.at(i); if (c.command & QTextUndoCommand::Custom) delete c.custom; } undoStack.remove(0, undoState); - undoStack.resize(undoStack.size() - undoState); undoState = 0; if (emitSignals) emitUndoAvailable(false); -- cgit v1.2.3