From 49c244e3c5a9138e6785515ebb64334705236ed4 Mon Sep 17 00:00:00 2001 From: Mitch Curtis Date: Tue, 19 Jun 2018 16:04:24 +0200 Subject: QQuickPathViewPrivate: fix heap-use-after-free The TabBar auto tests in Qt Quick Controls 2 repeats the following process very quickly for several data rows: 1. Creates a TabBar (PathView, when using the Universal style) 2. Moves items in its QQmlObjectModel 3. Deletes the TabBar When run with ASAN, this test would fail, because the TabButtons (which are child items of the PathView) would try to access a deleted QQuickItemChangeListener upon their destruction. The underlying issue is that QQuickPathView::modelUpdated() is called, and before a refill() can happen, the view is deleted. QQuickPathView::refill() was the only execution path that was releasing the cached items (QQuickPathViewPrivate::itemCache), and since part of releasing an item involves removing the QQuickPathView as a change listener from the item, the item would access the deleted view (listener) when the item was being destroyed. This patch fixes the issue by also releasing cached items in QQuickPathViewPrivate::clear(), which is always called by the destructor. Task-number: QTBUG-68964 Change-Id: Ic5bf0943be79948c86bf7c07ef13ecd1a7b971ba Reviewed-by: Richard Moe Gustavsen Reviewed-by: Robin Burchell --- src/quick/items/qquickpathview.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src') diff --git a/src/quick/items/qquickpathview.cpp b/src/quick/items/qquickpathview.cpp index 74c8eaa169..879db6284e 100644 --- a/src/quick/items/qquickpathview.cpp +++ b/src/quick/items/qquickpathview.cpp @@ -240,9 +240,13 @@ void QQuickPathViewPrivate::clear() releaseItem(currentItem); currentItem = nullptr; } + for (QQuickItem *p : qAsConst(items)) releaseItem(p); + for (QQuickItem *p : qAsConst(itemCache)) + releaseItem(p); + if (requestedIndex >= 0) { if (model) model->cancel(requestedIndex); @@ -250,6 +254,7 @@ void QQuickPathViewPrivate::clear() } items.clear(); + itemCache.clear(); tl.clear(); } -- cgit v1.2.3