ResolvedList: attempt read from correct meta object

Fixes: QTBUG-82171 Change-Id: If14b10d703aa1b69cd697024ada2fae0453103d7 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> Reviewed-by: Aleix Pol Gonzalez <aleixpol@kde.org>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-02-18 09:20:13 +0100
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2020-02-19 20:55:47 +0100
commit: add46fd9055088e6aa458f21558234e267eb60ca (patch)
tree: 39e8c3909c6fcaf407f370ebb873fa0a16114e5d /src/qml/qml/qqmlvmemetaobject.cpp
parent: d4f3445bb050bbc34f0e86832fca9b7047041c1e (diff)
1 files changed, 42 insertions, 5 deletions
diff --git a/src/qml/qml/qqmlvmemetaobject.cpp b/src/qml/qml/qqmlvmemetaobject.cpp
index de23e929e2..edf9657f53 100644
--- a/src/qml/qml/qqmlvmemetaobject.cpp
+++ b/src/qml/qml/qqmlvmemetaobject.cpp
@@ -48,6 +48,7 @@
 #include "qqmlcontext_p.h"
 #include "qqmlbinding_p.h"
 #include "qqmlpropertyvalueinterceptor_p.h"
+#include <qqmlinfo.h>
 
 #include <private/qqmlglobal_p.h>
 
@@ -60,6 +61,8 @@
 #include <private/qqmlpropertycachecreator_p.h>
 #include <private/qqmlpropertycachemethodarguments_p.h>
 
+#include <climits> // for CHAR_BIT
+
 QT_BEGIN_NAMESPACE
 
 class ResolvedList
@@ -67,13 +70,22 @@ class ResolvedList
     Q_DISABLE_COPY_MOVE(ResolvedList)
 
 public:
-    ResolvedList(QQmlListProperty<QObject> *prop) :
-        m_metaObject(static_cast<QQmlVMEMetaObject *>(QObjectPrivate::get(prop->object)->metaObject)),
-        m_id(quintptr(prop->data))
+    ResolvedList(QQmlListProperty<QObject> *prop)
     {
+        // see QQmlVMEMetaObject::metaCall for how this was constructed
+        auto encodedIndex = quintptr(prop->data);
+        constexpr quintptr usableBits = sizeof(quintptr)  * CHAR_BIT;
+        quintptr inheritanceDepth = encodedIndex >> (usableBits / 2);
+        m_id = encodedIndex & ((quintptr(1) << (usableBits / 2)) - 1);
+
+        // walk up to the correct meta object if necessary
+        auto mo = prop->object->metaObject();
+        while (inheritanceDepth--)
+            mo = mo->superClass();
+        m_metaObject = static_cast<QQmlVMEMetaObject *>(const_cast<QMetaObject *>(mo));
         Q_ASSERT(m_metaObject);
+        Q_ASSERT( ::strstr(m_metaObject->property(m_metaObject->propOffset() + m_id).typeName(), "QQmlListProperty") );
         Q_ASSERT(m_metaObject->object == prop->object);
-        Q_ASSERT(m_id <= quintptr(std::numeric_limits<int>::max() - m_metaObject->methodOffset()));
 
         // readPropertyAsList() with checks transformed into Q_ASSERT
         // and without allocation.
@@ -747,10 +759,35 @@ int QQmlVMEMetaObject::metaCall(QObject *o, QMetaObject::Call c, int _id, void *
                         break;
                     case QV4::CompiledData::BuiltinType::InvalidBuiltin:
                         if (property.isList) {
+                            // when reading from the list, we need to find the correct MetaObject,
+                            // namely this. However, obejct->metaObject might point to any MetaObject
+                            // down the inheritance hierarchy, so we need to store how far we have
+                            // to go down
+                            // To do this, we encode the hierarchy depth together with the id of the
+                            // property in a single quintptr, with the first half storing the depth
+                            // and the second half storing the property id
+                            auto mo = object->metaObject();
+                            quintptr inheritanceDepth = 0u;
+                            while (mo && mo != this) {
+                                mo = mo->superClass();
+                                ++inheritanceDepth;
+                            }
+                            constexpr quintptr usableBits = sizeof(quintptr)  * CHAR_BIT;
+                            if (Q_UNLIKELY(inheritanceDepth >= (quintptr(1) << quintptr(usableBits / 2u) ) )) {
+                                qmlWarning(object) << "Too many objects in inheritance hierarchy for list property";
+                                return -1;
+                            }
+                            if (Q_UNLIKELY(quintptr(id) >= (quintptr(1) << quintptr(usableBits / 2) ) )) {
+                                qmlWarning(object) << "Too many properties in object for list property";
+                                return -1;
+                            }
+                            quintptr encodedIndex = (inheritanceDepth << (usableBits/2)) + id;
+
+
                             readPropertyAsList(id); // Initializes if necessary
                             *static_cast<QQmlListProperty<QObject> *>(a[0])
                                     = QQmlListProperty<QObject>(
-                                        object, reinterpret_cast<void *>(quintptr(id)),
+                                        object, reinterpret_cast<void *>(quintptr(encodedIndex)),
                                         list_append, list_count, list_at,
                                         list_clear, list_replace, list_removeLast);
                         } else {
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-02-18 09:20:13 +0100
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2020-02-19 20:55:47 +0100
commit	add46fd9055088e6aa458f21558234e267eb60ca (patch)
tree	39e8c3909c6fcaf407f370ebb873fa0a16114e5d /src/qml/qml/qqmlvmemetaobject.cpp
parent	d4f3445bb050bbc34f0e86832fca9b7047041c1e (diff)