diff options
author | Ulf Hermann <ulf.hermann@qt.io> | 2020-02-27 09:27:40 +0100 |
---|---|---|
committer | Ulf Hermann <ulf.hermann@qt.io> | 2020-02-27 14:56:13 +0100 |
commit | 40f2dbd5557da2103e03a3fb7682bbfda3ffd122 (patch) | |
tree | 9d0d1945f6e35a6b3887c3b9000169d28a81dcb8 /src/qmlmodels | |
parent | 639196d0939ab2ce4f42671682cdddc91fee58ac (diff) |
QQmlDelegateModel: Avoid use-after-free
The iterator may be invalidated by addCacheItem(). We can retrieve the
relevant properties before, though.
Change-Id: Ia3bbc50d16a7563097239177a75c9e2eab777a33
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
Diffstat (limited to 'src/qmlmodels')
-rw-r--r-- | src/qmlmodels/qqmldelegatemodel.cpp | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/qmlmodels/qqmldelegatemodel.cpp b/src/qmlmodels/qqmldelegatemodel.cpp index c32caafaa6..3a05bf1689 100644 --- a/src/qmlmodels/qqmldelegatemodel.cpp +++ b/src/qmlmodels/qqmldelegatemodel.cpp @@ -1211,11 +1211,13 @@ QObject *QQmlDelegateModelPrivate::object(Compositor::Group group, int index, QQ } Compositor::iterator it = m_compositor.find(group, index); + const auto flags = it->flags; + const auto modelIndex = it.modelIndex(); QQmlDelegateModelItem *cacheItem = it->inCache() ? m_cache.at(it.cacheIndex) : 0; if (!cacheItem || !cacheItem->delegate) { - QQmlComponent *delegate = resolveDelegate(it.modelIndex()); + QQmlComponent *delegate = resolveDelegate(modelIndex); if (!delegate) return nullptr; @@ -1226,17 +1228,17 @@ QObject *QQmlDelegateModelPrivate::object(Compositor::Group group, int index, QQ // all related properties, and return the object (which // has already been incubated, otherwise it wouldn't be in the pool). addCacheItem(cacheItem, it); - reuseItem(cacheItem, index, it->flags); + reuseItem(cacheItem, index, flags); cacheItem->referenceObject(); return cacheItem->object; } // Since we could't find an available item in the pool, we create a new one - cacheItem = m_adaptorModel.createItem(m_cacheMetaType, it.modelIndex()); + cacheItem = m_adaptorModel.createItem(m_cacheMetaType, modelIndex); if (!cacheItem) return nullptr; - cacheItem->groups = it->flags; + cacheItem->groups = flags; addCacheItem(cacheItem, it); } |