From fcf4767bffd201a0b8da1ed6f5425e3f5ce0e4ff Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Mon, 26 Sep 2016 19:56:07 +0200
Subject: QLayout: Fix UB (invalid cast) in widgetEvent()

Found by UBSan:

  qlayout.cpp:612:50: runtime error: downcast of address 0x7ffcd4c39a70 which does not point to an object of type 'QWidget'
  0x7ffcd4c39a70: note: object is of type 'QObject'
   00 00 00 00  b0 43 4c 7b f5 2a 00 00  70 c9 28 02 00 00 00 00  08 93 9a 77 f5 2a 00 00  00 00 c3 d4
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QObject'
    #0 0x2af56f189960 in QLayout::widgetEvent(QEvent*) qlayout.cpp:612
    #1 0x2af56f037660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3732
    #2 0x2af56f06ae5b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3704
    #3 0x2af57989e383 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
    #4 0x2af5799c1696 in QCoreApplication::sendEvent(QObject*, QEvent*) qcoreapplication.h:231
    #5 0x2af5799c1696 in QObjectPrivate::setParent_helper(QObject*) qobject.cpp:2043
    #6 0x2af5799c4823 in QObject::~QObject() qobject.cpp:1095
    #7 0x2af56f2d205d in QWidget::~QWidget() qwidget.cpp:1549
    #8 0x2af56f9c1366 in QFrame::~QFrame() qframe.cpp:262
    #9 0x2af56f9e76cb in QLabel::~QLabel() qlabel.cpp:247
    #10 0x458077 in tst_QStyleSheetStyle::emptyStyleSheet() tst_qstylesheetstyle.cpp:1400

Fix by not casting at all (or, to be precise, casting implicitly up
instead of explicitly down).

Change-Id: Ic19fd29e0cabd1aee5b1c93ca4c0fc70bc7a5927
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/widgets/kernel/qlayout.cpp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src/widgets/kernel/qlayout.cpp')

diff --git a/src/widgets/kernel/qlayout.cpp b/src/widgets/kernel/qlayout.cpp
index 8631149f3d..7ca8de6f7a 100644
--- a/src/widgets/kernel/qlayout.cpp
+++ b/src/widgets/kernel/qlayout.cpp
@@ -540,7 +540,7 @@ void QLayout::invalidate()
     update();
 }
 
-static bool removeWidgetRecursively(QLayoutItem *li, QWidget *w)
+static bool removeWidgetRecursively(QLayoutItem *li, QObject *w)
 {
     QLayout *lay = li->layout();
     if (!lay)
@@ -603,12 +603,11 @@ void QLayout::widgetEvent(QEvent *e)
         {
             QChildEvent *c = (QChildEvent *)e;
             if (c->child()->isWidgetType()) {
-                QWidget *w = (QWidget *)c->child();
 #ifndef QT_NO_MENUBAR
-                if (w == d->menubar)
+                if (c->child() == d->menubar)
                     d->menubar = 0;
 #endif
-                removeWidgetRecursively(this, w);
+                removeWidgetRecursively(this, c->child());
             }
         }
         break;
-- 
cgit v1.2.3