From 8740a87841689c97dc92f7600b33c260e4bf7f2c Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Sat, 30 Jul 2016 22:20:26 +0300 Subject: QAbstractItemView: Fix UB (invalid downcast) Just use QWidgetPrivate::get() instead. Fixes UBSan error: qabstractitemview.cpp:3814:61: runtime error: downcast of address 0x2b859001aa70 which does not point to an object of type 'QAbstractItemView' 0x2b859001aa70: note: object is of type 'QWidget' Change-Id: I0460fd8a0681e122d440755ebf07018d273b93f8 Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qabstractitemview.cpp b/src/widgets/itemviews/qabstractitemview.cpp index f31f2f5256..cb40eae9a2 100644 --- a/src/widgets/itemviews/qabstractitemview.cpp +++ b/src/widgets/itemviews/qabstractitemview.cpp @@ -3821,7 +3821,7 @@ void QAbstractItemView::doAutoScroll() int horizontalValue = horizontalScroll->value(); QPoint pos = d->viewport->mapFromGlobal(QCursor::pos()); - QRect area = static_cast(d->viewport)->d_func()->clipRect(); // access QWidget private by bending C++ rules + QRect area = QWidgetPrivate::get(d->viewport)->clipRect(); // do the scrolling if we are in the scroll margins if (pos.y() - area.top() < margin) -- cgit v1.2.3 From 4ac28eda8edaff06ee7cb310108bfb9d9f1984ff Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Sun, 31 Jul 2016 07:40:41 +0300 Subject: QTreeWidget: Fix UB (member call) Before actually deleting QTreeWidgetItems from QTree{Model,Widget{,Item}} dtors, their 'view' members need to be set to nullptr, lest they attempt to delist themselves from the list of top-level items. For the QTreeModel::headerItem, this was forgottten. Found by UBSan: qtreewidget.cpp:1488:70: runtime error: member call on address 0x7ffd843dd470 which does not point to an object of type 'QAbstractItemView' 0x7ffd843dd470: note: object is of type 'QWidget' #0 0x2b83d5b48323 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1488 #1 0x2b83d5b48860 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1535 #2 0x2b83d5b41659 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:143 #3 0x2b83d5b41bc0 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:146 #4 0x2b83df220747 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:2010 #5 0x2b83d4603dd0 in QWidget::~QWidget() src/widgets/kernel/qwidget.cpp:1675 #6 0x2b83d4d76066 in QFrame::~QFrame() src/widgets/widgets/qframe.cpp:256 #7 0x2b83d5270442 in QAbstractScrollArea::~QAbstractScrollArea() src/widgets/widgets/qabstractscrollarea.cpp:575 #8 0x2b83d5733eb9 in QAbstractItemView::~QAbstractItemView() src/widgets/itemviews/qabstractitemview.cpp:617 #9 0x2b83d598b216 in QTreeView::~QTreeView() src/widgets/itemviews/qtreeview.cpp:206 #10 0x2b83d5b218b6 in QTreeWidget::~QTreeWidget() src/widgets/itemviews/qtreewidget.cpp:2549 #11 0x4eef42 in tst_QTreeWidgetItemIterator::updateIfModifiedFromWidget() tests/auto/widgets/itemviews/qtreewidgetitemiterator/tst_qtreewidgetitemiterator.cpp:1089 Change-Id: I57c277adee8c99eb07b274d6d8ea1f6fbf3575be Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qtreewidget.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qtreewidget.cpp b/src/widgets/itemviews/qtreewidget.cpp index f33dd6af17..e0f6a3d5d1 100644 --- a/src/widgets/itemviews/qtreewidget.cpp +++ b/src/widgets/itemviews/qtreewidget.cpp @@ -140,6 +140,7 @@ QTreeModel::QTreeModel(QTreeModelPrivate &dd, QTreeWidget *parent) QTreeModel::~QTreeModel() { clear(); + headerItem->view = Q_NULLPTR; delete headerItem; rootItem->view = 0; delete rootItem; -- cgit v1.2.3 From a81be85b63f8caf817bb7c4a840ff3a3aaf49a83 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Mon, 1 Aug 2016 10:05:28 +0300 Subject: QDataWidgetMapper: Fix UB (member call) As found by UBSan: qdatawidgetmapper.cpp:212:59: runtime error: member call on address 0x2b6cc8095be0 which does not point to an object of type 'QFocusHelper' 0x2b6cc8095be0: note: object is of type 'QLineEdit' Just make QDataWidgetMapperPrivate a friend of QWidget. Change-Id: I33d8d430c3a03b7173358d0f96dc7f850d11697c Reviewed-by: Olivier Goffart (Woboq GmbH) Reviewed-by: Friedemann Kleint --- src/widgets/itemviews/qdatawidgetmapper.cpp | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qdatawidgetmapper.cpp b/src/widgets/itemviews/qdatawidgetmapper.cpp index ee7b3613a2..058a570437 100644 --- a/src/widgets/itemviews/qdatawidgetmapper.cpp +++ b/src/widgets/itemviews/qdatawidgetmapper.cpp @@ -199,20 +199,6 @@ void QDataWidgetMapperPrivate::_q_commitData(QWidget *w) commit(widgetMap.at(idx)); } -class QFocusHelper: public QWidget -{ -public: - bool focusNextPrevChild(bool next) Q_DECL_OVERRIDE - { - return QWidget::focusNextPrevChild(next); - } - - static inline void focusNextPrevChild(QWidget *w, bool next) - { - static_cast(w)->focusNextPrevChild(next); - } -}; - void QDataWidgetMapperPrivate::_q_closeEditor(QWidget *w, QAbstractItemDelegate::EndEditHint hint) { int idx = findWidget(w); @@ -224,10 +210,10 @@ void QDataWidgetMapperPrivate::_q_closeEditor(QWidget *w, QAbstractItemDelegate: populate(widgetMap[idx]); break; } case QAbstractItemDelegate::EditNextItem: - QFocusHelper::focusNextPrevChild(w, true); + w->focusNextChild(); break; case QAbstractItemDelegate::EditPreviousItem: - QFocusHelper::focusNextPrevChild(w, false); + w->focusPreviousChild(); break; case QAbstractItemDelegate::SubmitModelCache: case QAbstractItemDelegate::NoHint: -- cgit v1.2.3 From 08f38d22149f062006316997a04fee57c33bc577 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Thu, 28 Jul 2016 19:51:53 +0300 Subject: tst_QAbstractItemView: Fix UB (invalid downcast, member call) As reported by UBSan: tst_qabstractitemview.cpp:336:23: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' tst_qabstractitemview.cpp:337:5: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' tst_qabstractitemview.cpp:338:23: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' [etc ...] Fix by making the test a friend of QAbstractItemView instead. Change-Id: I1a08977042296eb34e9dbdb5c0595662dbd2e5ef Reviewed-by: Friedemann Kleint Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qabstractitemview.h b/src/widgets/itemviews/qabstractitemview.h index ff1848b149..82bc7cb9ae 100644 --- a/src/widgets/itemviews/qabstractitemview.h +++ b/src/widgets/itemviews/qabstractitemview.h @@ -39,6 +39,8 @@ #include #include +class tst_QAbstractItemView; + QT_BEGIN_NAMESPACE @@ -359,6 +361,7 @@ private: Q_PRIVATE_SLOT(d_func(), void _q_scrollerStateChanged()) #endif + friend class ::tst_QAbstractItemView; friend class QTreeViewPrivate; // needed to compile with MSVC friend class QListModeViewBase; friend class QListViewPrivate; -- cgit v1.2.3 From 5dc83974f7e6f72d715c4c940ca57741a550aa1c Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Thu, 28 Jul 2016 19:51:53 +0300 Subject: tst_QTreeView: Fix UB (invalid downcast, member call) As reported by UBSan: tst_qtreeview.cpp:2187:36: runtime error: downcast of address 0x7ffc15749f20 which does not point to an object of type 'PublicView' 0x7ffc15749f20: note: object is of type 'QTreeView' Fix by making the test a friend of QTreeView (and, for Clang, of QAbstractItemView) instead. Change-Id: I5b748696ab441a91058f4d45a18bd5ed75a6e560 Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.h | 2 ++ src/widgets/itemviews/qtreeview.h | 3 +++ 2 files changed, 5 insertions(+) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qabstractitemview.h b/src/widgets/itemviews/qabstractitemview.h index 82bc7cb9ae..8d712280d3 100644 --- a/src/widgets/itemviews/qabstractitemview.h +++ b/src/widgets/itemviews/qabstractitemview.h @@ -40,6 +40,7 @@ #include class tst_QAbstractItemView; +class tst_QTreeView; QT_BEGIN_NAMESPACE @@ -362,6 +363,7 @@ private: #endif friend class ::tst_QAbstractItemView; + friend class ::tst_QTreeView; friend class QTreeViewPrivate; // needed to compile with MSVC friend class QListModeViewBase; friend class QListViewPrivate; diff --git a/src/widgets/itemviews/qtreeview.h b/src/widgets/itemviews/qtreeview.h index 546cc488cb..9257bb66fa 100644 --- a/src/widgets/itemviews/qtreeview.h +++ b/src/widgets/itemviews/qtreeview.h @@ -36,6 +36,8 @@ #include +class tst_QTreeView; + QT_BEGIN_NAMESPACE @@ -213,6 +215,7 @@ protected: void currentChanged(const QModelIndex ¤t, const QModelIndex &previous) Q_DECL_OVERRIDE; private: + friend class ::tst_QTreeView; friend class QAccessibleTable; friend class QAccessibleTree; friend class QAccessibleTableCell; -- cgit v1.2.3 From bc4ce55fff78610c15d6c8a0cb97526889cb5de3 Mon Sep 17 00:00:00 2001 From: BogDan Vatra Date: Thu, 4 Aug 2016 11:43:44 +0300 Subject: Don't call virtual functions with data from an old model Change-Id: I4f1ec56ce722110042f72761bbc2976e580b7149 Reviewed-by: David Faure Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/widgets/itemviews') diff --git a/src/widgets/itemviews/qabstractitemview.cpp b/src/widgets/itemviews/qabstractitemview.cpp index cb40eae9a2..d36431c716 100644 --- a/src/widgets/itemviews/qabstractitemview.cpp +++ b/src/widgets/itemviews/qabstractitemview.cpp @@ -769,8 +769,10 @@ void QAbstractItemView::setSelectionModel(QItemSelectionModel *selectionModel) QModelIndex oldCurrentIndex; if (d->selectionModel) { - oldSelection = d->selectionModel->selection(); - oldCurrentIndex = d->selectionModel->currentIndex(); + if (d->selectionModel->model() == selectionModel->model()) { + oldSelection = d->selectionModel->selection(); + oldCurrentIndex = d->selectionModel->currentIndex(); + } disconnect(d->selectionModel, SIGNAL(selectionChanged(QItemSelection,QItemSelection)), this, SLOT(selectionChanged(QItemSelection,QItemSelection))); -- cgit v1.2.3