From 237b36a72cf0646ba28e762bfde0cb398f4041e8 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Wed, 21 Sep 2016 09:15:40 +0200
Subject: QGraphicsWidget: Fix UB (invalid member calls) in destruction
 sequence

Found by UBSan:

  qgraphicswidget_p.h:72:5: runtime error: downcast of address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
  0x2ab6a8021400: note: object is of type 'QGraphicsObject'
   00 00 00 00  70 93 5c 91 b6 2a 00 00  f0 c0 01 a8 b6 2a 00 00  e8 81 5c 91 b6 2a 00 00  10 bf 01 a8
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QGraphicsObject'
    #0 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::q_func() qgraphicswidget_p.h:72
    #1 0x2ab68f2fdd7c in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:775
    #2 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
    #3 0x2ab68f024f73 in QGraphicsItem::setParentItem(QGraphicsItem*) qgraphicsitem.cpp:1781
    #4 0x2ab68f168401 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:620
    #5 0x2ab68f02c166 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555
    #6 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
    #7 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
    #8 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
    #9 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
    #10 0x2ab68f02c9ec in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1550
    #11 0x2ab68f02ebb8 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
    #12 0x2ab68f2d8888 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
    #13 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
    #14 0x4bce62 in SubQGraphicsWidget::~SubQGraphicsWidget() /tst_qgraphicswidget.cpp:175
    #15 0x2ab68f128da4 in QGraphicsScene::clear() qgraphicsscene.cpp:2388
    #16 0x2ab68f12936c in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682
    #17 0x44d44c in tst_QGraphicsWidget::focusWidget() /tst_qgraphicswidget.cpp:435

  qgraphicswidget_p.cpp:805:24: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
  0x2ab6a8021400: note: object is of type 'QGraphicsObject'
   00 00 00 00  70 93 5c 91 b6 2a 00 00  f0 c0 01 a8 b6 2a 00 00  e8 81 5c 91 b6 2a 00 00  10 bf 01 a8
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QGraphicsObject'
    #0 0x2ab68f2fdc68 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:805
    #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
    [... identical lines omitted ...]

  qgraphicswidget_p.cpp:806:23: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
  0x2ab6a8021400: note: object is of type 'QGraphicsObject'
   00 00 00 00  70 93 5c 91 b6 2a 00 00  f0 c0 01 a8 b6 2a 00 00  e8 81 5c 91 b6 2a 00 00  10 bf 01 a8
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QGraphicsObject'
    #0 0x2ab68f2fdb6b in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:806
    #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
    [... identical lines omitted ...]

  qgraphicswidget_p.cpp:827:26: runtime error: member call on address 0x2ab6a8021400 which does not point to an object of type 'QGraphicsWidget'
  0x2ab6a8021400: note: object is of type 'QGraphicsObject'
   00 00 00 00  70 93 5c 91 b6 2a 00 00  f0 c0 01 a8 b6 2a 00 00  e8 81 5c 91 b6 2a 00 00  10 bf 01 a8
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QGraphicsObject'
    #0 0x2ab68f2fdf91 in QGraphicsWidgetPrivate::fixFocusChainBeforeReparenting(QGraphicsWidget*, QGraphicsScene*, QGraphicsScene*) qgraphicswidget_p.cpp:827
    #1 0x2ab68f020d2a in QGraphicsItemPrivate::setParentItemHelper(QGraphicsItem*, QVariant const*, QVariant const*) qgraphicsitem.cpp:1181
    [... identical lines omitted ...]

Fix by moving the setParentItem(nullptr) call up the call stack
into ~QGraphicsWidget(), ensuring that the object is still a
QGraphicsWidget when these calls are made.

Change-Id: I264779e33098e9752de9a312a146fb203578a3cc
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
---
 src/widgets/graphicsview/qgraphicswidget.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/widgets/graphicsview')

diff --git a/src/widgets/graphicsview/qgraphicswidget.cpp b/src/widgets/graphicsview/qgraphicswidget.cpp
index 2700605a71..125174627d 100644
--- a/src/widgets/graphicsview/qgraphicswidget.cpp
+++ b/src/widgets/graphicsview/qgraphicswidget.cpp
@@ -267,6 +267,11 @@ QGraphicsWidget::~QGraphicsWidget()
 
     // Remove this graphics widget from widgetStyles
     widgetStyles()->setStyleForWidget(this, 0);
+
+    // Unset the parent here, when we're still a QGraphicsWidget.
+    // It is otherwise done in ~QGraphicsItem() where we'd be
+    // calling QGraphicsWidget members on an ex-QGraphicsWidget object
+    setParentItem(Q_NULLPTR);
 }
 
 /*!
-- 
cgit v1.2.3