From ecd183455b8039ee15b9d51fd1111992af19ed1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Arve=20S=C3=A6ther?= <jan-arve.saether@qt.io>
Date: Wed, 11 Oct 2017 11:35:42 +0200
Subject: Refactor childIdListForAccessibleObject

It has several problems:

1. It could potentially create an intArray with uninitialized elements.
   This could happen because the index for getting interfaces were the
   same as the storage index.  This was not correct, because they could
   diverge if iface->child() returned an invalid interface.

2. The count of accessible child elements could change while iterating.
   This could cause out-of-bounds condition when calling
   SetIntArrayRegion as described in QTBUG-45855. Instead now, we call
   SetIntArrayRegion only once, after we have gathered all the child
   interface ids.

Task-number: QTBUG-45855
Change-Id: I77e813158df5f563d04931ac4e296e3fc2a16e67
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@qt.io>
---
 src/plugins/platforms/android/androidjniaccessibility.cpp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/plugins/platforms/android')

diff --git a/src/plugins/platforms/android/androidjniaccessibility.cpp b/src/plugins/platforms/android/androidjniaccessibility.cpp
index e4d670239f..a3bc58bb89 100644
--- a/src/plugins/platforms/android/androidjniaccessibility.cpp
+++ b/src/plugins/platforms/android/androidjniaccessibility.cpp
@@ -105,15 +105,15 @@ namespace QtAndroidAccessibility
     {
         QAccessibleInterface *iface = interfaceFromId(objectId);
         if (iface && iface->isValid()) {
-            jintArray jArray = env->NewIntArray(jsize(iface->childCount()));
-            for (int i = 0; i < iface->childCount(); ++i) {
+            const int childCount = iface->childCount();
+            QVarLengthArray<jint, 8> ifaceIdArray(childCount);
+            for (int i = 0; i < childCount; ++i) {
                 QAccessibleInterface *child = iface->child(i);
-                if (child && child->isValid()) {
-                    QAccessible::Id ifaceId = QAccessible::uniqueId(child);
-                    jint jid = ifaceId;
-                    env->SetIntArrayRegion(jArray, i, 1, &jid);
-                }
+                if (child && child->isValid())
+                    ifaceIdArray.append(QAccessible::uniqueId(child));
             }
+            jintArray jArray = env->NewIntArray(jsize(ifaceIdArray.count()));
+            env->SetIntArrayRegion(jArray, 0, ifaceIdArray.count(), ifaceIdArray.data());
             return jArray;
         }
 
-- 
cgit v1.2.3