From c65621b36208556556ffaad473b53a3782ad5fd6 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Tue, 27 Sep 2016 13:41:55 +0200
Subject: QWidget: Fix UB (invalid cast) in sendResizeEvents()

Found by UBSan:

  qwidget.cpp:5228:62: runtime error: downcast of address 0x61b00003d480 which does not point to an object of type 'QWidget'
  0x61b00003d480: note: object is of type 'QMainWindowLayout'
   bc 00 00 75  90 2e 2a 78 4f 2b 00 00  40 c1 02 00 f0 60 00 00  78 2f 2a 78 4f 2b 00 00  00 00 00 00
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QMainWindowLayout'
    #0 0x2b4f70efb1c2 in sendResizeEvents qwidget.cpp:5228
    #1 0x2b4f70f65f7f in QWidget::grab(QRect const&) qwidget.cpp:5252
    #2 0x6b1746 in tst_QWidget::render_task188133() tst_qwidget.cpp:6615

Fix by performing the cast only after the test for isWidgetType() has
succeeded.

Change-Id: I061a60ef35bcb5fbefb9bc7b84706c9dd5afd207
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/widgets/kernel/qwidget.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/widgets')

diff --git a/src/widgets/kernel/qwidget.cpp b/src/widgets/kernel/qwidget.cpp
index b99fca6620..b2db4e1529 100644
--- a/src/widgets/kernel/qwidget.cpp
+++ b/src/widgets/kernel/qwidget.cpp
@@ -5201,8 +5201,10 @@ static void sendResizeEvents(QWidget *target)
 
     const QObjectList children = target->children();
     for (int i = 0; i < children.size(); ++i) {
+        if (!children.at(i)->isWidgetType())
+            continue;
         QWidget *child = static_cast<QWidget*>(children.at(i));
-        if (child->isWidgetType() && !child->isWindow() && child->testAttribute(Qt::WA_PendingResizeEvent))
+        if (!child->isWindow() && child->testAttribute(Qt::WA_PendingResizeEvent))
             sendResizeEvents(child);
     }
 }
-- 
cgit v1.2.3