From 68199cec0e47ff15e8e9b2708441e46cc7c48b84 Mon Sep 17 00:00:00 2001 From: "Evgeniy A. Dushistov" Date: Thu, 20 Aug 2020 00:33:18 +0300 Subject: QQmlObjectCreator: fix member func call with this == nullptr The test example is based on qtvirtualkeyboard/src/virtualkeyboard/content/components/PopupList.qml Luckily ((QQmlPropertyCache *)nullptr) -> property(-1) is ended without access to this, so this was not caught before. But this is UB, plus I can not run Qt and my application compiled with -fsanitizer=X, because of it crashed after the first member function call with nullptr as this Pick-to: 5.15 Fixes: QTBUG-85605 Change-Id: If6a71fde9a14cc4f73139dfa0e6ee3005453104d Reviewed-by: Ulf Hermann --- src/qml/qml/qqmlobjectcreator.cpp | 2 +- tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml | 10 ++++++++++ tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp | 10 ++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml diff --git a/src/qml/qml/qqmlobjectcreator.cpp b/src/qml/qml/qqmlobjectcreator.cpp index abd7c1f068..1c8f2b2091 100644 --- a/src/qml/qml/qqmlobjectcreator.cpp +++ b/src/qml/qml/qqmlobjectcreator.cpp @@ -1566,7 +1566,7 @@ bool QQmlObjectCreator::populateInstance(int index, QObject *instance, QObject * if (!target) continue; QQmlData *targetDData = QQmlData::get(target, /*create*/false); - if (!targetDData) + if (targetDData == nullptr || targetDData->propertyCache == nullptr) continue; int coreIndex = QQmlPropertyIndex::fromEncoded(alias->encodedMetaPropertyIndex).coreIndex(); QQmlPropertyData *const targetProperty = targetDData->propertyCache->property(coreIndex); diff --git a/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml b/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml new file mode 100644 index 0000000000..052893936a --- /dev/null +++ b/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml @@ -0,0 +1,10 @@ +import QtQuick 2.0 + +ListView { + property alias defaultHighlight: defaultHighlight + + Component { + id: defaultHighlight + Item {} + } +} diff --git a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp index a902ca0f7d..187243fbbd 100644 --- a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp +++ b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp @@ -329,6 +329,7 @@ private slots: void arrayToContainer(); void qualifiedScopeInCustomParser(); + void accessNullPointerPropertyCache(); private: QQmlEngine engine; @@ -5785,6 +5786,15 @@ void tst_qqmllanguage::qualifiedScopeInCustomParser() QVERIFY(!obj.isNull()); } +void tst_qqmllanguage::accessNullPointerPropertyCache() +{ + QQmlEngine engine; + QQmlComponent c(&engine, testFileUrl("NullPointerPropertyCache.qml")); + QVERIFY(c.isReady()); + QScopedPointer obj(c.create()); + QVERIFY(!obj.isNull()); +} + QTEST_MAIN(tst_qqmllanguage) #include "tst_qqmllanguage.moc" -- cgit v1.2.3