From 622681eb508ddb1bd51a39b6887beddb43218504 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Wed, 21 Sep 2016 10:01:01 +0200
Subject: QGraphicsScene: Fix UB (invalid cast) in Private::ungrabMouse()

Found by UBSan:

  qgraphicsscene.cpp:1000:40: runtime error: downcast of address 0x2af0d4072b00 which does not point to an object of type 'QGraphicsWidget'
  0x2af0d4072b00: note: object is of type 'QGraphicsObject'
   00 00 00 00  30 f5 26 bd f0 2a 00 00  90 e1 05 d4 f0 2a 00 00  a8 e3 26 bd f0 2a 00 00  d0 33 0f d4
                ^~~~~~~~~~~~~~~~~~~~~~~
                vptr for 'QGraphicsObject'
    #0 0x2af0badf1305 in QGraphicsScenePrivate::ungrabMouse(QGraphicsItem*, bool) qgraphicsscene.cpp:1000
    #1 0x2af0bae0fc24 in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:692
    #2 0x2af0bacd21f6 in QGraphicsItem::~QGraphicsItem() qgraphicsitem.cpp:1555
    #3 0x2af0bacd4c48 in QGraphicsObject::~QGraphicsObject() qgraphicsitem.cpp:7766
    #4 0x2af0baf7e99c in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:231
    #5 0x2af0baf7f8c0 in QGraphicsWidget::~QGraphicsWidget() qgraphicswidget.cpp:282
    #6 0x2af0badcee34 in QGraphicsScene::clear() qgraphicsscene.cpp:2388
    #7 0x2af0badcf3fc in QGraphicsScene::~QGraphicsScene() qgraphicsscene.cpp:1682
    #8 0x4b26f0 in tst_QGraphicsWidget::popupMouseGrabber() tst_qgraphicswidget.cpp:47

Fix by using the existing graphics widget pointer,
determined a line above to be equivalent to 'item',
for the removePopup() function call instead of
casting 'item' itself.

The rest of removePopup() appears to be well-behaved
and doesn't trigger any more UBSan errors, so it was
indeed just the cast which was undefined, no member
calls.

Change-Id: Ia54da90262a7a02f527914a90b0208be0ffc0f0b
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/widgets/graphicsview/qgraphicsscene.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/widgets/graphicsview/qgraphicsscene.cpp b/src/widgets/graphicsview/qgraphicsscene.cpp
index 9e0be0c280..ebc521eb00 100644
--- a/src/widgets/graphicsview/qgraphicsscene.cpp
+++ b/src/widgets/graphicsview/qgraphicsscene.cpp
@@ -987,7 +987,7 @@ void QGraphicsScenePrivate::ungrabMouse(QGraphicsItem *item, bool itemIsDying)
         // If the item is a popup, go via removePopup to ensure state
         // consistency and that it gets hidden correctly - beware that
         // removePopup() reenters this function to continue removing the grab.
-        removePopup((QGraphicsWidget *)item, itemIsDying);
+        removePopup(popupWidgets.constLast(), itemIsDying);
         return;
     }
 
-- 
cgit v1.2.3