diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-05-13 14:19:01 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-06-04 14:18:28 +0000 |
| commit | 1aa4eab4a68e19702b5b3ab9b831efdc35266e66 (patch) | |
| tree | 0ed935be0ce3f8bc22b2c36a6bdf354e15529051 /src/quick/items/qquicklistview.cpp | |
| parent | 7940d57b53817f28e1a575a7c37aeed968fb2f61 (diff) | |
Fix heap-use-after-free with QQuickListView
Ensure we stop FXViewItems from tracking so we don't have pointers
to dead QQuickListViewPrivate object on QQuickItem destruction.
Fixes: QTBUG-71581
Change-Id: I80291086697b1455d9319969fe5cba0ea4d04a73
Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io>
Diffstat (limited to 'src/quick/items/qquicklistview.cpp')
| -rw-r--r-- | src/quick/items/qquicklistview.cpp | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/quick/items/qquicklistview.cpp b/src/quick/items/qquicklistview.cpp index 81d019a26d..146917c679 100644 --- a/src/quick/items/qquicklistview.cpp +++ b/src/quick/items/qquicklistview.cpp @@ -81,7 +81,7 @@ public: FxViewItem *snapItemAt(qreal pos); void init() override; - void clear() override; + void clear(bool onDestruction) override; bool addVisibleItems(qreal fillFrom, qreal fillTo, qreal bufferFrom, qreal bufferTo, bool doBuffer) override; bool removeNonVisibleItems(qreal bufferFrom, qreal bufferTo) override; @@ -98,7 +98,7 @@ public: void adjustFirstItem(qreal forwards, qreal backwards, int) override; void updateSizeChangesBeforeVisiblePos(FxViewItem *item, ChangeResult *removeResult) override; - void createHighlight() override; + void createHighlight(bool onDestruction = false) override; void updateHighlight() override; void resetHighlightPosition() override; bool movingFromHighlight() override; @@ -575,7 +575,7 @@ void QQuickListViewPrivate::init() ::memset(sectionCache, 0, sizeof(QQuickItem*) * sectionCacheSize); } -void QQuickListViewPrivate::clear() +void QQuickListViewPrivate::clear(bool onDestruction) { for (int i = 0; i < sectionCacheSize; ++i) { delete sectionCache[i]; @@ -587,7 +587,7 @@ void QQuickListViewPrivate::clear() releaseSectionItem(nextSectionItem); nextSectionItem = nullptr; lastVisibleSection = QString(); - QQuickItemViewPrivate::clear(); + QQuickItemViewPrivate::clear(onDestruction); } FxViewItem *QQuickListViewPrivate::newViewItem(int modelIndex, QQuickItem *item) @@ -634,7 +634,7 @@ void QQuickListViewPrivate::initializeViewItem(FxViewItem *item) bool QQuickListViewPrivate::releaseItem(FxViewItem *item) { if (!item || !model) - return true; + return QQuickItemViewPrivate::releaseItem(item); QPointer<QQuickItem> it = item->item; QQuickListViewAttached *att = static_cast<QQuickListViewAttached*>(item->attached); @@ -876,9 +876,8 @@ void QQuickListViewPrivate::updateSizeChangesBeforeVisiblePos(FxViewItem *item, QQuickItemViewPrivate::updateSizeChangesBeforeVisiblePos(item, removeResult); } -void QQuickListViewPrivate::createHighlight() +void QQuickListViewPrivate::createHighlight(bool onDestruction) { - Q_Q(QQuickListView); bool changed = false; if (highlight) { if (trackedItem == highlight) @@ -896,6 +895,10 @@ void QQuickListViewPrivate::createHighlight() changed = true; } + if (onDestruction) + return; + + Q_Q(QQuickListView); if (currentItem) { QQuickItem *item = createHighlightItem(); if (item) { |