diff options
| author | Erik Verbruggen <erik.verbruggen@qt.io> | 2016-07-08 13:06:21 +0200 |
|---|---|---|
| committer | Robin Burchell <robin.burchell@viroteck.net> | 2016-07-11 21:37:32 +0000 |
| commit | 6fabc0683c6cf0736b4ae9a00f1b138803e461d1 (patch) | |
| tree | 01fccac3bb73d1bb276288a75e85ad5691903ea7 /src/quick/items/qquickopenglshadereffect.cpp | |
| parent | 921ad53c1deb8183f888bf98248d0dcb42838b38 (diff) | |
QtQuick: fix use-after-free of shader property connections
A use-after-free would occur if the sender of a connection would
disconnect (and destroy the slot object), and then the receiver would
try to clean-up and access the slot object again. The fix is to have
the receiver take out a reference to the slot object, because it will
manage the life-time, and thus delete the slot object when it doesn't
need it anymore.
Change-Id: Ie2033cfb7212acceb2c2cd0bd9e7e45c2dd5e434
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
Diffstat (limited to 'src/quick/items/qquickopenglshadereffect.cpp')
| -rw-r--r-- | src/quick/items/qquickopenglshadereffect.cpp | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/quick/items/qquickopenglshadereffect.cpp b/src/quick/items/qquickopenglshadereffect.cpp index 3f057ecd64..9d24a6c511 100644 --- a/src/quick/items/qquickopenglshadereffect.cpp +++ b/src/quick/items/qquickopenglshadereffect.cpp @@ -187,7 +187,7 @@ public: explicit MappedSlotObject(PropChangedFunc func) : QSlotObjectBase(&impl), _signalIndex(-1), func(func) - {} + { ref(); } void setSignalIndex(int idx) { _signalIndex = idx; } int signalIndex() const { return _signalIndex; } @@ -215,6 +215,12 @@ private: }; } +QQuickOpenGLShaderEffectCommon::~QQuickOpenGLShaderEffectCommon() +{ + for (int shaderType = 0; shaderType < Key::ShaderTypeCount; ++shaderType) + clearSignalMappers(shaderType); +} + void QQuickOpenGLShaderEffectCommon::disconnectPropertySignals(QQuickItem *item, Key::ShaderType shaderType) { for (int i = 0; i < uniformData[shaderType].size(); ++i) { @@ -363,7 +369,7 @@ void QQuickOpenGLShaderEffectCommon::updateShader(QQuickItem *item, { disconnectPropertySignals(item, shaderType); uniformData[shaderType].clear(); - signalMappers[shaderType].clear(); + clearSignalMappers(shaderType); if (shaderType == Key::VertexShader) attributes.clear(); @@ -593,6 +599,15 @@ void QQuickOpenGLShaderEffectCommon::propertyChanged(QQuickItem *item, } } +void QQuickOpenGLShaderEffectCommon::clearSignalMappers(int shader) +{ + for (auto mapper : qAsConst(signalMappers[shader])) { + if (mapper) + mapper->destroyIfLastRef(); + } + signalMappers[shader].clear(); +} + QQuickOpenGLShaderEffect::QQuickOpenGLShaderEffect(QQuickShaderEffect *item, QObject *parent) : QObject(parent) , m_item(item) |