QQuickMenu: fix heap-use-after-free

The previous patch fixed a memory leak, which in turn exposed an issue
caused by item change listeners not being removed before contentModel
is destroyed. QQuickMenuPrivate::itemParentChanged() then tried to
access that contentModel, resulting in a heap-use-after-free.

This patch fixes the issue by removing all menu items before the menu
is destroyed, ensuring that the change listeners are removed in time.

Task-number: QTBUG-86851
Change-Id: I3dc0a251d7fd9c05c384de6472e73493b2d5b664
Reviewed-by: Andy Shaw <andy.shaw@qt.io>
(cherry picked from commit 5e4f4ed2410a29914a70b7c7d0b7b4f3a136f289)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

2 files changed, 11 insertions, 0 deletions

diff --git a/src/quicktemplates2/qquickmenu.cpp b/src/quicktemplates2/qquickmenu.cpp
index 01309ef2..9fd63587 100644
--- a/src/quicktemplates2/qquickmenu.cpp
+++ b/src/quicktemplates2/qquickmenu.cpp
@@ -729,6 +729,16 @@ QQuickMenu::QQuickMenu(QObject *parent)
     connect(d->contentModel, &QQmlObjectModel::countChanged, this, &QQuickMenu::countChanged);
 }
 
+QQuickMenu::~QQuickMenu()
+{
+    Q_D(QQuickMenu);
+    // We have to do this to ensure that the change listeners are removed.
+    // It's too late to do this in ~QQuickMenuPrivate, as contentModel has already
+    // been destroyed before that is called.
+    while (d->contentModel->count() > 0)
+        d->removeItem(0, d->itemAt(0));
+}
+
 /*!
     \qmlmethod Item QtQuick.Controls::Menu::itemAt(int index)
 
diff --git a/src/quicktemplates2/qquickmenu_p.h b/src/quicktemplates2/qquickmenu_p.h
index 01b970f8..ae653d80 100644
--- a/src/quicktemplates2/qquickmenu_p.h
+++ b/src/quicktemplates2/qquickmenu_p.h
@@ -76,6 +76,7 @@ class Q_QUICKTEMPLATES2_PRIVATE_EXPORT QQuickMenu : public QQuickPopup
 
 public:
     explicit QQuickMenu(QObject *parent = nullptr);
+    ~QQuickMenu();
 
     Q_INVOKABLE QQuickItem *itemAt(int index) const;
     Q_INVOKABLE void addItem(QQuickItem *item);