From 7aac345415ca8970f3e5f094ec8fa1a26b36587b Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Thu, 26 Mar 2020 12:09:45 +0100
Subject: tst_qqmllanguage: Avoid use after free

Apparently we're poking into the unit data during the last evaluate().
We need to keep it alive until then.

Change-Id: I3a08766503a3508720b3ac154171e6fc8bd280d1
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'tests/auto')

diff --git a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
index 16ea659fe9..5665775258 100644
--- a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
+++ b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
@@ -2463,22 +2463,29 @@ void tst_qqmllanguage::scriptStringJs()
     QVERIFY(!object->scriptProperty().booleanLiteral(&ok) && !ok);
 }
 
+struct FreeUnitData
+{
+    static void cleanup(const QV4::CompiledData::Unit *readOnlyQmlUnit)
+    {
+        if (readOnlyQmlUnit && !(readOnlyQmlUnit->flags & QV4::CompiledData::Unit::StaticData))
+            free(const_cast<QV4::CompiledData::Unit *>(readOnlyQmlUnit));
+    }
+};
+
 void tst_qqmllanguage::scriptStringWithoutSourceCode()
 {
     QUrl url = testFileUrl("scriptString7.qml");
+    QScopedPointer<const QV4::CompiledData::Unit, FreeUnitData> readOnlyQmlUnit;
     {
         QQmlEnginePrivate *eng = QQmlEnginePrivate::get(&engine);
         QQmlRefPointer<QQmlTypeData> td = eng->typeLoader.getType(url);
         Q_ASSERT(td);
 
         QQmlRefPointer<QV4::ExecutableCompilationUnit> compilationUnit = td->compilationUnit();
-        const QV4::CompiledData::Unit *readOnlyQmlUnit = compilationUnit->unitData();
+        readOnlyQmlUnit.reset(compilationUnit->unitData());
         Q_ASSERT(readOnlyQmlUnit);
         QV4::CompiledData::Unit *qmlUnit = reinterpret_cast<QV4::CompiledData::Unit *>(malloc(readOnlyQmlUnit->unitSize));
-        memcpy(qmlUnit, readOnlyQmlUnit, readOnlyQmlUnit->unitSize);
-
-        if (!(readOnlyQmlUnit->flags & QV4::CompiledData::Unit::StaticData))
-            free(const_cast<QV4::CompiledData::Unit *>(readOnlyQmlUnit));
+        memcpy(qmlUnit, readOnlyQmlUnit.data(), readOnlyQmlUnit->unitSize);
 
         qmlUnit->flags &= ~QV4::CompiledData::Unit::StaticData;
         compilationUnit->setUnitData(qmlUnit);
-- 
cgit v1.2.3