From b942d3b971e769492265bee8cbcc16a8d94144d9 Mon Sep 17 00:00:00 2001
From: Andrei Golubev <andrei.golubev@qt.io>
Date: Thu, 1 Jul 2021 15:24:46 +0200
Subject: Fix binding functor addressing in QProperty

We create the callable object at sizeof(QPBP) offset from
the beginning of the memory block. However, evaluateRecursive()
uses sizeof() + alignment when fetching that same callable from
the memory

While on 64-bit platforms this is fine due to
sizeof(QPBP) == QPBP::getSizeEnsuringAlignment(), this is broken for
32-bit systems where there's actually alignment bits that follow the
QPBP struct in memory (and thus we cast a random memory location to
an object)
(Note: QPBP is short for QPropertyBindingPrivate)

To fix this, change the offset for creation and destruction of the
callable to the one that uses alignment. This way, evaluateRecursive()
code becomes correct

Fixes: QTBUG-93890
Change-Id: Ief57051846632fa61df4b79b3f054c25062a9498
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit 565864090d4ca38768c2268ffd265d2f4b49d1b0)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/kernel/qproperty.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/corelib/kernel/qproperty.cpp b/src/corelib/kernel/qproperty.cpp
index 3e6595758b..a79ef98b5d 100644
--- a/src/corelib/kernel/qproperty.cpp
+++ b/src/corelib/kernel/qproperty.cpp
@@ -88,7 +88,8 @@ QPropertyBindingPrivate::~QPropertyBindingPrivate()
     if (firstObserver)
         firstObserver.unlink();
     if (vtable->size)
-        vtable->destroy(reinterpret_cast<std::byte *>(this) + sizeof(QPropertyBindingPrivate));
+        vtable->destroy(reinterpret_cast<std::byte *>(this)
+                        + QPropertyBindingPrivate::getSizeEnsuringAlignment());
 }
 
 void QPropertyBindingPrivate::unlinkAndDeref()
@@ -171,7 +172,7 @@ QUntypedPropertyBinding::QUntypedPropertyBinding(QMetaType metaType, const Bindi
 {
     std::byte *mem = new std::byte[QPropertyBindingPrivate::getSizeEnsuringAlignment() + vtable->size]();
     d = new(mem) QPropertyBindingPrivate(metaType, vtable, std::move(location));
-    vtable->moveConstruct(mem+sizeof(QPropertyBindingPrivate), function);
+    vtable->moveConstruct(mem + QPropertyBindingPrivate::getSizeEnsuringAlignment(), function);
 }
 
 QUntypedPropertyBinding::QUntypedPropertyBinding(QUntypedPropertyBinding &&other)
-- 
cgit v1.2.3