From f5291bf8b4f74e7dcaa4911594fae8c929e28229 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Wed, 6 Jan 2016 17:46:11 +0100
Subject: Fix UB in tst_QObject::noDeclarativeParentChangedOnDestruction()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If QObjectPrivate::declarativeData is set, it is
in various places in Qt expected to point to a
QAbstractDeclarativeDataImpl, from which ownedByQml1
is unconditionally read.

In noDeclarativeParentChangedOnDestruction(), the
declarativeData pointer is, however, set to a local
QAbstractDeclarativeData instance, which, being an
empty class, has size 1 and alignment 1.

Depending on the compiler's idea of bit field order,
this code either read uninitialized data from the
dummy object, or else some random stack memory outside
any (valid) object.

What caught UBSan's attention, though, was the
difference in alignment between the two classes:

  src/corelib/kernel/qobject.cpp:917:9: runtime error: member access within misaligned address 0x7fffc9cf706f for type 'struct QAbstractDeclarativeDataImpl', which requires 4 byte alignment

Fix by providing a properly initialized object of the
correct type.

Change-Id: Iae83a949ee5a7bc98df13e35ea614c063085fa13
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@theqtcompany.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
---
 tests/auto/corelib/kernel/qobject/tst_qobject.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/auto/corelib/kernel/qobject/tst_qobject.cpp b/tests/auto/corelib/kernel/qobject/tst_qobject.cpp
index 4617ce5e74..aa6ab31065 100644
--- a/tests/auto/corelib/kernel/qobject/tst_qobject.cpp
+++ b/tests/auto/corelib/kernel/qobject/tst_qobject.cpp
@@ -6396,7 +6396,8 @@ void tst_QObject::noDeclarativeParentChangedOnDestruction()
     QObject *parent = new QObject;
     QObject *child = new QObject;
 
-    QAbstractDeclarativeData dummy;
+    QAbstractDeclarativeDataImpl dummy;
+    dummy.ownedByQml1 = false;
     QObjectPrivate::get(child)->declarativeData = &dummy;
 
     parentChangeCalled = false;
-- 
cgit v1.2.3