From 8740a87841689c97dc92f7600b33c260e4bf7f2c Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Sat, 30 Jul 2016 22:20:26 +0300 Subject: QAbstractItemView: Fix UB (invalid downcast) Just use QWidgetPrivate::get() instead. Fixes UBSan error: qabstractitemview.cpp:3814:61: runtime error: downcast of address 0x2b859001aa70 which does not point to an object of type 'QAbstractItemView' 0x2b859001aa70: note: object is of type 'QWidget' Change-Id: I0460fd8a0681e122d440755ebf07018d273b93f8 Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qabstractitemview.cpp b/src/widgets/itemviews/qabstractitemview.cpp index f31f2f5256..cb40eae9a2 100644 --- a/src/widgets/itemviews/qabstractitemview.cpp +++ b/src/widgets/itemviews/qabstractitemview.cpp @@ -3821,7 +3821,7 @@ void QAbstractItemView::doAutoScroll() int horizontalValue = horizontalScroll->value(); QPoint pos = d->viewport->mapFromGlobal(QCursor::pos()); - QRect area = static_cast(d->viewport)->d_func()->clipRect(); // access QWidget private by bending C++ rules + QRect area = QWidgetPrivate::get(d->viewport)->clipRect(); // do the scrolling if we are in the scroll margins if (pos.y() - area.top() < margin) -- cgit v1.2.3 From 4ac28eda8edaff06ee7cb310108bfb9d9f1984ff Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Sun, 31 Jul 2016 07:40:41 +0300 Subject: QTreeWidget: Fix UB (member call) Before actually deleting QTreeWidgetItems from QTree{Model,Widget{,Item}} dtors, their 'view' members need to be set to nullptr, lest they attempt to delist themselves from the list of top-level items. For the QTreeModel::headerItem, this was forgottten. Found by UBSan: qtreewidget.cpp:1488:70: runtime error: member call on address 0x7ffd843dd470 which does not point to an object of type 'QAbstractItemView' 0x7ffd843dd470: note: object is of type 'QWidget' #0 0x2b83d5b48323 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1488 #1 0x2b83d5b48860 in QTreeWidgetItem::~QTreeWidgetItem() src/widgets/itemviews/qtreewidget.cpp:1535 #2 0x2b83d5b41659 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:143 #3 0x2b83d5b41bc0 in QTreeModel::~QTreeModel() src/widgets/itemviews/qtreewidget.cpp:146 #4 0x2b83df220747 in QObjectPrivate::deleteChildren() src/corelib/kernel/qobject.cpp:2010 #5 0x2b83d4603dd0 in QWidget::~QWidget() src/widgets/kernel/qwidget.cpp:1675 #6 0x2b83d4d76066 in QFrame::~QFrame() src/widgets/widgets/qframe.cpp:256 #7 0x2b83d5270442 in QAbstractScrollArea::~QAbstractScrollArea() src/widgets/widgets/qabstractscrollarea.cpp:575 #8 0x2b83d5733eb9 in QAbstractItemView::~QAbstractItemView() src/widgets/itemviews/qabstractitemview.cpp:617 #9 0x2b83d598b216 in QTreeView::~QTreeView() src/widgets/itemviews/qtreeview.cpp:206 #10 0x2b83d5b218b6 in QTreeWidget::~QTreeWidget() src/widgets/itemviews/qtreewidget.cpp:2549 #11 0x4eef42 in tst_QTreeWidgetItemIterator::updateIfModifiedFromWidget() tests/auto/widgets/itemviews/qtreewidgetitemiterator/tst_qtreewidgetitemiterator.cpp:1089 Change-Id: I57c277adee8c99eb07b274d6d8ea1f6fbf3575be Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qtreewidget.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qtreewidget.cpp b/src/widgets/itemviews/qtreewidget.cpp index f33dd6af17..e0f6a3d5d1 100644 --- a/src/widgets/itemviews/qtreewidget.cpp +++ b/src/widgets/itemviews/qtreewidget.cpp @@ -140,6 +140,7 @@ QTreeModel::QTreeModel(QTreeModelPrivate &dd, QTreeWidget *parent) QTreeModel::~QTreeModel() { clear(); + headerItem->view = Q_NULLPTR; delete headerItem; rootItem->view = 0; delete rootItem; -- cgit v1.2.3 From a81be85b63f8caf817bb7c4a840ff3a3aaf49a83 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Mon, 1 Aug 2016 10:05:28 +0300 Subject: QDataWidgetMapper: Fix UB (member call) As found by UBSan: qdatawidgetmapper.cpp:212:59: runtime error: member call on address 0x2b6cc8095be0 which does not point to an object of type 'QFocusHelper' 0x2b6cc8095be0: note: object is of type 'QLineEdit' Just make QDataWidgetMapperPrivate a friend of QWidget. Change-Id: I33d8d430c3a03b7173358d0f96dc7f850d11697c Reviewed-by: Olivier Goffart (Woboq GmbH) Reviewed-by: Friedemann Kleint --- src/widgets/itemviews/qdatawidgetmapper.cpp | 18 ++---------------- src/widgets/kernel/qwidget.h | 1 + 2 files changed, 3 insertions(+), 16 deletions(-) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qdatawidgetmapper.cpp b/src/widgets/itemviews/qdatawidgetmapper.cpp index ee7b3613a2..058a570437 100644 --- a/src/widgets/itemviews/qdatawidgetmapper.cpp +++ b/src/widgets/itemviews/qdatawidgetmapper.cpp @@ -199,20 +199,6 @@ void QDataWidgetMapperPrivate::_q_commitData(QWidget *w) commit(widgetMap.at(idx)); } -class QFocusHelper: public QWidget -{ -public: - bool focusNextPrevChild(bool next) Q_DECL_OVERRIDE - { - return QWidget::focusNextPrevChild(next); - } - - static inline void focusNextPrevChild(QWidget *w, bool next) - { - static_cast(w)->focusNextPrevChild(next); - } -}; - void QDataWidgetMapperPrivate::_q_closeEditor(QWidget *w, QAbstractItemDelegate::EndEditHint hint) { int idx = findWidget(w); @@ -224,10 +210,10 @@ void QDataWidgetMapperPrivate::_q_closeEditor(QWidget *w, QAbstractItemDelegate: populate(widgetMap[idx]); break; } case QAbstractItemDelegate::EditNextItem: - QFocusHelper::focusNextPrevChild(w, true); + w->focusNextChild(); break; case QAbstractItemDelegate::EditPreviousItem: - QFocusHelper::focusNextPrevChild(w, false); + w->focusPreviousChild(); break; case QAbstractItemDelegate::SubmitModelCache: case QAbstractItemDelegate::NoHint: diff --git a/src/widgets/kernel/qwidget.h b/src/widgets/kernel/qwidget.h index 2af1550ad1..c8e08a5bc4 100644 --- a/src/widgets/kernel/qwidget.h +++ b/src/widgets/kernel/qwidget.h @@ -668,6 +668,7 @@ protected: void destroy(bool destroyWindow = true, bool destroySubWindows = true); + friend class QDataWidgetMapperPrivate; // for access to focusNextPrevChild virtual bool focusNextPrevChild(bool next); inline bool focusNextChild() { return focusNextPrevChild(true); } inline bool focusPreviousChild() { return focusNextPrevChild(false); } -- cgit v1.2.3 From 08f38d22149f062006316997a04fee57c33bc577 Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Thu, 28 Jul 2016 19:51:53 +0300 Subject: tst_QAbstractItemView: Fix UB (invalid downcast, member call) As reported by UBSan: tst_qabstractitemview.cpp:336:23: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' tst_qabstractitemview.cpp:337:5: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' tst_qabstractitemview.cpp:338:23: runtime error: member call on address 0x7ffe6fe96e10 which does not point to an object of type 'TestView' 0x7ffe6fe96e10: note: object is of type 'QListView' [etc ...] Fix by making the test a friend of QAbstractItemView instead. Change-Id: I1a08977042296eb34e9dbdb5c0595662dbd2e5ef Reviewed-by: Friedemann Kleint Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qabstractitemview.h b/src/widgets/itemviews/qabstractitemview.h index ff1848b149..82bc7cb9ae 100644 --- a/src/widgets/itemviews/qabstractitemview.h +++ b/src/widgets/itemviews/qabstractitemview.h @@ -39,6 +39,8 @@ #include #include +class tst_QAbstractItemView; + QT_BEGIN_NAMESPACE @@ -359,6 +361,7 @@ private: Q_PRIVATE_SLOT(d_func(), void _q_scrollerStateChanged()) #endif + friend class ::tst_QAbstractItemView; friend class QTreeViewPrivate; // needed to compile with MSVC friend class QListModeViewBase; friend class QListViewPrivate; -- cgit v1.2.3 From 5dc83974f7e6f72d715c4c940ca57741a550aa1c Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Thu, 28 Jul 2016 19:51:53 +0300 Subject: tst_QTreeView: Fix UB (invalid downcast, member call) As reported by UBSan: tst_qtreeview.cpp:2187:36: runtime error: downcast of address 0x7ffc15749f20 which does not point to an object of type 'PublicView' 0x7ffc15749f20: note: object is of type 'QTreeView' Fix by making the test a friend of QTreeView (and, for Clang, of QAbstractItemView) instead. Change-Id: I5b748696ab441a91058f4d45a18bd5ed75a6e560 Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.h | 2 ++ src/widgets/itemviews/qtreeview.h | 3 +++ 2 files changed, 5 insertions(+) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qabstractitemview.h b/src/widgets/itemviews/qabstractitemview.h index 82bc7cb9ae..8d712280d3 100644 --- a/src/widgets/itemviews/qabstractitemview.h +++ b/src/widgets/itemviews/qabstractitemview.h @@ -40,6 +40,7 @@ #include class tst_QAbstractItemView; +class tst_QTreeView; QT_BEGIN_NAMESPACE @@ -362,6 +363,7 @@ private: #endif friend class ::tst_QAbstractItemView; + friend class ::tst_QTreeView; friend class QTreeViewPrivate; // needed to compile with MSVC friend class QListModeViewBase; friend class QListViewPrivate; diff --git a/src/widgets/itemviews/qtreeview.h b/src/widgets/itemviews/qtreeview.h index 546cc488cb..9257bb66fa 100644 --- a/src/widgets/itemviews/qtreeview.h +++ b/src/widgets/itemviews/qtreeview.h @@ -36,6 +36,8 @@ #include +class tst_QTreeView; + QT_BEGIN_NAMESPACE @@ -213,6 +215,7 @@ protected: void currentChanged(const QModelIndex ¤t, const QModelIndex &previous) Q_DECL_OVERRIDE; private: + friend class ::tst_QTreeView; friend class QAccessibleTable; friend class QAccessibleTree; friend class QAccessibleTableCell; -- cgit v1.2.3 From b92a63f7073b35a31f66af280bd50ddff1d15b50 Mon Sep 17 00:00:00 2001 From: Mitch Curtis Date: Wed, 27 Jul 2016 08:34:54 +0200 Subject: Fix typo in QMessageBox documentation Change-Id: I879817bf0209db331a9b1ef206bad7aa5b8a678f Reviewed-by: Friedemann Kleint --- src/widgets/dialogs/qmessagebox.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/widgets') diff --git a/src/widgets/dialogs/qmessagebox.cpp b/src/widgets/dialogs/qmessagebox.cpp index dbbf6cdc71..f32f7b0417 100644 --- a/src/widgets/dialogs/qmessagebox.cpp +++ b/src/widgets/dialogs/qmessagebox.cpp @@ -697,7 +697,7 @@ void QMessageBoxPrivate::_q_clicked(QPlatformDialogHelper::StandardButton button If the \l{QMessageBox::StandardButtons} {standard buttons} are not flexible enough for your message box, you can use the addButton() - overload that takes a text and a ButtonRoleto to add custom + overload that takes a text and a ButtonRole to add custom buttons. The ButtonRole is used by QMessageBox to determine the ordering of the buttons on screen (which varies according to the platform). You can test the value of clickedButton() after calling -- cgit v1.2.3 From bc4ce55fff78610c15d6c8a0cb97526889cb5de3 Mon Sep 17 00:00:00 2001 From: BogDan Vatra Date: Thu, 4 Aug 2016 11:43:44 +0300 Subject: Don't call virtual functions with data from an old model Change-Id: I4f1ec56ce722110042f72761bbc2976e580b7149 Reviewed-by: David Faure Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/widgets/itemviews/qabstractitemview.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/widgets') diff --git a/src/widgets/itemviews/qabstractitemview.cpp b/src/widgets/itemviews/qabstractitemview.cpp index cb40eae9a2..d36431c716 100644 --- a/src/widgets/itemviews/qabstractitemview.cpp +++ b/src/widgets/itemviews/qabstractitemview.cpp @@ -769,8 +769,10 @@ void QAbstractItemView::setSelectionModel(QItemSelectionModel *selectionModel) QModelIndex oldCurrentIndex; if (d->selectionModel) { - oldSelection = d->selectionModel->selection(); - oldCurrentIndex = d->selectionModel->currentIndex(); + if (d->selectionModel->model() == selectionModel->model()) { + oldSelection = d->selectionModel->selection(); + oldCurrentIndex = d->selectionModel->currentIndex(); + } disconnect(d->selectionModel, SIGNAL(selectionChanged(QItemSelection,QItemSelection)), this, SLOT(selectionChanged(QItemSelection,QItemSelection))); -- cgit v1.2.3