From 0cccc23478432240f44cabfd853e60ff8c84c692 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Sun, 9 Oct 2016 18:08:14 +0200
Subject: QNetworkReplyHttpImpl: Fix UB (member call) in destruction sequence

Found by UBSan:

  qnetworkreplyhttpimpl.cpp:457:29: runtime error: member call on address 0x602000009cf0 which does not point to an object of type 'QNetworkReplyHttpImpl'
  0x602000009cf0: note: object is of type 'QObject'
   1e 00 80 18  20 e0 bb 12 54 7f 00 00  00 f2 00 00 70 61 00 00  02 00 00 00 ff ff ff 06  08 00 00 00
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QObject'
    #0 0x7f541461b71b in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:457
    #1 0x7f541461b7f0 in QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate() qnetworkreplyhttpimpl.cpp:458
    #2 0x7f540f26df1a in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) qscopedpointer.h:54
    #3 0x7f540f26df1a in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() qscopedpointer.h:101
    #4 0x7f540f26df1a in QObject::~QObject() qobject.cpp:940
    #5 0x7f540e915f6e in QIODevice::~QIODevice() qiodevice.cpp:416
    #6 0x7f5414599bae in QNetworkReply::~QNetworkReply() qnetworkreply.cpp:444
    #7 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:239
    #8 0x7f54145e6f5e in QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl() qnetworkreplyhttpimpl.cpp:242
    #9 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*>::const_iterator>(QList<QNetworkReply*>::const_iterator, QList<QNetworkReply*>::const_iterator) qalgorithms.h:317
    #10 0x7f54144b3539 in void qDeleteAll<QList<QNetworkReply*> >(QList<QNetworkReply*> const&) qalgorithms.h:325
    #11 0x7f54144b3539 in QNetworkAccessManager::~QNetworkAccessManager() qnetworkaccessmanager.cpp:496

Fix by moving the emission of the QNetworkReplyHttpImpl::abortHttpRequest()
signal from ~Private, when the public object is merely a QObject anymore,
to ~QNetworkReplyHttpImpl(), when the public class is still itself.

Change-Id: Ifb3b19f6d180452bdf3fc26f54629ef780a5d9d9
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
---
 src/network/access/qnetworkreplyhttpimpl.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src/network/access/qnetworkreplyhttpimpl.cpp')

diff --git a/src/network/access/qnetworkreplyhttpimpl.cpp b/src/network/access/qnetworkreplyhttpimpl.cpp
index 94235a48dd..fe8277ba92 100644
--- a/src/network/access/qnetworkreplyhttpimpl.cpp
+++ b/src/network/access/qnetworkreplyhttpimpl.cpp
@@ -238,7 +238,8 @@ QNetworkReplyHttpImpl::QNetworkReplyHttpImpl(QNetworkAccessManager* const manage
 
 QNetworkReplyHttpImpl::~QNetworkReplyHttpImpl()
 {
-    // Most work is done in private destructor
+    // This will do nothing if the request was already finished or aborted
+    emit abortHttpRequest();
 }
 
 void QNetworkReplyHttpImpl::close()
@@ -452,9 +453,6 @@ QNetworkReplyHttpImplPrivate::QNetworkReplyHttpImplPrivate()
 
 QNetworkReplyHttpImplPrivate::~QNetworkReplyHttpImplPrivate()
 {
-    Q_Q(QNetworkReplyHttpImpl);
-    // This will do nothing if the request was already finished or aborted
-    emit q->abortHttpRequest();
 }
 
 /*
-- 
cgit v1.2.3