From 26bc4ac5cb56ce8f2d3d10125fa9c6a72140573a Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Tue, 21 Mar 2017 14:13:34 +0100
Subject: QToolBox: fix potential UB (invalid cast) in
 Private::_q_widgetDestroyed()

Don't cast an expiring QObject down to QWidget. Cast the QWidgets stored
internally up to QObject to perform the comparison. The result is the
same, but no invalid casts are possible anymore.

Found by independent review.

Change-Id: Iffa8a66cf5cab0270961befe982637ac8e4f0f7b
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
---
 src/widgets/widgets/qtoolbox.cpp | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/widgets/widgets/qtoolbox.cpp b/src/widgets/widgets/qtoolbox.cpp
index 2c74b5fa9d..8413827e30 100644
--- a/src/widgets/widgets/qtoolbox.cpp
+++ b/src/widgets/widgets/qtoolbox.cpp
@@ -117,7 +117,7 @@ public:
     void _q_buttonClicked();
     void _q_widgetDestroyed(QObject*);
 
-    const Page *page(QWidget *widget) const;
+    const Page *page(const QObject *widget) const;
     const Page *page(int index) const;
     Page *page(int index);
 
@@ -129,7 +129,7 @@ public:
     Page *currentPage;
 };
 
-const QToolBoxPrivate::Page *QToolBoxPrivate::page(QWidget *widget) const
+const QToolBoxPrivate::Page *QToolBoxPrivate::page(const QObject *widget) const
 {
     if (!widget)
         return 0;
@@ -449,11 +449,9 @@ void QToolBoxPrivate::relayout()
 void QToolBoxPrivate::_q_widgetDestroyed(QObject *object)
 {
     Q_Q(QToolBox);
-    // no verification - vtbl corrupted already
-    QWidget *p = (QWidget*)object;
 
-    const QToolBoxPrivate::Page *c = page(p);
-    if (!p || !c)
+    const QToolBoxPrivate::Page * const c = page(object);
+    if (!c)
         return;
 
     layout->removeWidget(c->sv);
-- 
cgit v1.2.3