diff options
author | Ulf Hermann <ulf.hermann@qt.io> | 2020-03-26 12:09:45 +0100 |
---|---|---|
committer | Ulf Hermann <ulf.hermann@qt.io> | 2020-03-26 13:16:45 +0100 |
commit | 7aac345415ca8970f3e5f094ec8fa1a26b36587b (patch) | |
tree | fecbcdf93de55e5c7c225874697f13fdb7af0de9 /tests/auto/qml/qqmllanguage | |
parent | aa5f4add4073a95e3222e43a7422f8421d3a1aee (diff) |
tst_qqmllanguage: Avoid use after free
Apparently we're poking into the unit data during the last evaluate().
We need to keep it alive until then.
Change-Id: I3a08766503a3508720b3ac154171e6fc8bd280d1
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'tests/auto/qml/qqmllanguage')
-rw-r--r-- | tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp index 16ea659fe9..5665775258 100644 --- a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp +++ b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp @@ -2463,22 +2463,29 @@ void tst_qqmllanguage::scriptStringJs() QVERIFY(!object->scriptProperty().booleanLiteral(&ok) && !ok); } +struct FreeUnitData +{ + static void cleanup(const QV4::CompiledData::Unit *readOnlyQmlUnit) + { + if (readOnlyQmlUnit && !(readOnlyQmlUnit->flags & QV4::CompiledData::Unit::StaticData)) + free(const_cast<QV4::CompiledData::Unit *>(readOnlyQmlUnit)); + } +}; + void tst_qqmllanguage::scriptStringWithoutSourceCode() { QUrl url = testFileUrl("scriptString7.qml"); + QScopedPointer<const QV4::CompiledData::Unit, FreeUnitData> readOnlyQmlUnit; { QQmlEnginePrivate *eng = QQmlEnginePrivate::get(&engine); QQmlRefPointer<QQmlTypeData> td = eng->typeLoader.getType(url); Q_ASSERT(td); QQmlRefPointer<QV4::ExecutableCompilationUnit> compilationUnit = td->compilationUnit(); - const QV4::CompiledData::Unit *readOnlyQmlUnit = compilationUnit->unitData(); + readOnlyQmlUnit.reset(compilationUnit->unitData()); Q_ASSERT(readOnlyQmlUnit); QV4::CompiledData::Unit *qmlUnit = reinterpret_cast<QV4::CompiledData::Unit *>(malloc(readOnlyQmlUnit->unitSize)); - memcpy(qmlUnit, readOnlyQmlUnit, readOnlyQmlUnit->unitSize); - - if (!(readOnlyQmlUnit->flags & QV4::CompiledData::Unit::StaticData)) - free(const_cast<QV4::CompiledData::Unit *>(readOnlyQmlUnit)); + memcpy(qmlUnit, readOnlyQmlUnit.data(), readOnlyQmlUnit->unitSize); qmlUnit->flags &= ~QV4::CompiledData::Unit::StaticData; compilationUnit->setUnitData(qmlUnit); |