From 7bfe093ae5a904c375ae7b2635e681ff319c80af Mon Sep 17 00:00:00 2001
From: Lorenz Haas <lorenz.haas@histomatics.de>
Date: Tue, 28 Feb 2017 17:12:52 +0100
Subject: Fix possible use after free error in SQLite REGEXP

If the cache insertion fails, regexp is deleted and
"subject.contains(*regexp);" is UB.

Coverity-Id: 176868
Change-Id: Ibf9340e019f09fdb8b2a82de8877cdfb2ffe1372
Reviewed-by: Milian Wolff <milian.wolff@kdab.com>
---
 src/plugins/sqldrivers/sqlite/qsql_sqlite.cpp | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/plugins/sqldrivers/sqlite/qsql_sqlite.cpp b/src/plugins/sqldrivers/sqlite/qsql_sqlite.cpp
index 56eceeecbd..b42fd74b3e 100644
--- a/src/plugins/sqldrivers/sqlite/qsql_sqlite.cpp
+++ b/src/plugins/sqldrivers/sqlite/qsql_sqlite.cpp
@@ -574,14 +574,17 @@ static void _q_regexp(sqlite3_context* context, int argc, sqlite3_value** argv)
         reinterpret_cast<const char*>(sqlite3_value_text(argv[1])));
 
     auto cache = static_cast<QCache<QString, QRegularExpression>*>(sqlite3_user_data(context));
-    QRegularExpression *regexp = cache->object(pattern);
-    if (!regexp) {
-        regexp = new QRegularExpression(pattern, QRegularExpression::DontCaptureOption
-                                        | QRegularExpression::OptimizeOnFirstUsageOption);
-        cache->insert(pattern, regexp);
-    }
+    auto regexp = cache->object(pattern);
+    const bool wasCached = regexp;
+
+    if (!wasCached)
+        regexp = new QRegularExpression(pattern, QRegularExpression::DontCaptureOption | QRegularExpression::OptimizeOnFirstUsageOption);
+
     const bool found = subject.contains(*regexp);
 
+    if (!wasCached)
+        cache->insert(pattern, regexp);
+
     sqlite3_result_int(context, int(found));
 }
 
-- 
cgit v1.2.3