From 6f7b64e2a97034f84991e644abd609e73895ffb9 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Tue, 26 Dec 2017 23:39:33 -0200
Subject: QMap: fix another UB (invalid cast) relating to QMap's end

Like in commit 75cdf654bcc192ba73a8834e507583a59140e7e4, we use the
pointer value of the QMap header (which is of type QMapNodeBase) as a
sentinel. It's never dereferenced. In that commit, the issue was calling
end() directly; in here, it happens when iterating forward from any
element, which means nextNode() can reach back to the header.

However, using static_cast is wrong, so we use reinterpret_cast.

Change-Id: I39332e0a867442d58082fffd15040317704a87ce
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
---
 src/corelib/tools/qmap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/corelib/tools/qmap.h b/src/corelib/tools/qmap.h
index 37ed24000d..43acf09ea9 100644
--- a/src/corelib/tools/qmap.h
+++ b/src/corelib/tools/qmap.h
@@ -115,9 +115,9 @@ struct QMapNode : public QMapNodeBase
     inline QMapNode *leftNode() const { return static_cast<QMapNode *>(left); }
     inline QMapNode *rightNode() const { return static_cast<QMapNode *>(right); }
 
-    inline const QMapNode *nextNode() const { return static_cast<const QMapNode *>(QMapNodeBase::nextNode()); }
+    inline const QMapNode *nextNode() const { return reinterpret_cast<const QMapNode *>(QMapNodeBase::nextNode()); }
     inline const QMapNode *previousNode() const { return static_cast<const QMapNode *>(QMapNodeBase::previousNode()); }
-    inline QMapNode *nextNode() { return static_cast<QMapNode *>(QMapNodeBase::nextNode()); }
+    inline QMapNode *nextNode() { return reinterpret_cast<QMapNode *>(QMapNodeBase::nextNode()); }
     inline QMapNode *previousNode() { return static_cast<QMapNode *>(QMapNodeBase::previousNode()); }
 
     QMapNode<Key, T> *copy(QMapData<Key, T> *d) const;
-- 
cgit v1.2.3