From b78342f553ee13944c19bfdf77cdf68b0de87e50 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Mon, 25 Jun 2018 13:50:52 +0200
Subject: QAbstractSocket - protect against the broken invariant
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's possible to use QAbstractSocket (more precisely QUdpSocket) in
a quite unusual way: connect to its stateChanged() signal and call
close() in the slot (thus invalidating socketEngine pointer). For
QAbstractSocket::bind() this results in a null-pointer
dereference.

Task-number: QTBUG-69063
Change-Id: Ife2c778ff59ccc7b99a96caa5ba67f877aaefe42
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/network/socket/qabstractsocket.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/network/socket/qabstractsocket.cpp')

diff --git a/src/network/socket/qabstractsocket.cpp b/src/network/socket/qabstractsocket.cpp
index 13e10e4102..4d9fda00ce 100644
--- a/src/network/socket/qabstractsocket.cpp
+++ b/src/network/socket/qabstractsocket.cpp
@@ -1609,7 +1609,10 @@ bool QAbstractSocketPrivate::bind(const QHostAddress &address, quint16 port, QAb
     localPort = socketEngine->localPort();
 
     emit q->stateChanged(state);
-    if (socketType == QAbstractSocket::UdpSocket)
+    // A slot attached to stateChanged() signal can break our invariant:
+    // by closing the socket it will reset its socket engine - thus we
+    // have additional check (isValid()) ...
+    if (q->isValid() && socketType == QAbstractSocket::UdpSocket)
         socketEngine->setReadNotificationEnabled(true);
     return true;
 }
-- 
cgit v1.2.3