From 20f7cfcbdab795b1730e3d1d14fc3833a7f5e705 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Thu, 26 Jan 2017 18:03:50 +0100 Subject: qnetworkproxy_mac - fix proxyAutoConfigCallback We have an invalid pointer dereference in our callback. Apple's docs are quite ambiguous, whatever we receive in our callback's 'client' parameter is our PACInfo, not clientContext's address. That's what we pass to CFNetworkExecuteProxyAutoConfigurationURL: "clientContext - A stream context containing a client info object and optionally retain and release callbacks for that object." This 'client info' is our PACInfo struct with 2 pointers. Now in a callback, 'client': "The client reference originally passed in the clientContext parameter of the ..." So apparently we should read this as "client info originally passed in ...." Otherwise incorrect cast results in invalid pointer (apparently the value of retain/release/copy pointers we carefully set to 0) and a crash on dereference. Task-number: QTBUG-56747 Change-Id: I89378f1582679638cd29a36c563e506d8f5af518 Reviewed-by: Gabriel de Dietrich --- src/network/kernel/qnetworkproxy_mac.cpp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'src/network/kernel/qnetworkproxy_mac.cpp') diff --git a/src/network/kernel/qnetworkproxy_mac.cpp b/src/network/kernel/qnetworkproxy_mac.cpp index c13a472b90..92f91956b9 100644 --- a/src/network/kernel/qnetworkproxy_mac.cpp +++ b/src/network/kernel/qnetworkproxy_mac.cpp @@ -189,12 +189,19 @@ struct PACInfo { void proxyAutoConfigCallback(void *client, CFArrayRef proxylist, CFErrorRef error) { - PACInfo *info = reinterpret_cast(reinterpret_cast(client)->info); + Q_ASSERT(client); + + PACInfo *info = static_cast(client); info->done = true; - if (proxylist) + + if (error) { + CFRetain(error); + info->error = error; + } + if (proxylist) { CFRetain(proxylist); - info->proxies = proxylist; - info->error = error; + info->proxies = proxylist; + } } } // anon namespace -- cgit v1.2.3