QQuickMenu: fix heap-use-after-free

The previous patch fixed a memory leak, which in turn exposed an issue
caused by item change listeners not being removed before contentModel
is destroyed. QQuickMenuPrivate::itemParentChanged() then tried to
access that contentModel, resulting in a heap-use-after-free.

This patch fixes the issue by removing all menu items before the menu
is destroyed, ensuring that the change listeners are removed in time.

Pick-to: 5.15 5.12
Task-number: QTBUG-86851
Change-Id: I3dc0a251d7fd9c05c384de6472e73493b2d5b664
Reviewed-by: Andy Shaw <andy.shaw@qt.io>

2 files changed, 11 insertions, 0 deletions

diff --git a/src/quicktemplates2/qquickmenu.cpp b/src/quicktemplates2/qquickmenu.cpp
index 35dc5dd8..5bc44f0d 100644
--- a/src/quicktemplates2/qquickmenu.cpp
+++ b/src/quicktemplates2/qquickmenu.cpp
@@ -735,6 +735,16 @@ QQuickMenu::QQuickMenu(QObject *parent)
     connect(d->contentModel, &QQmlObjectModel::countChanged, this, &QQuickMenu::countChanged);
 }
 
+QQuickMenu::~QQuickMenu()
+{
+    Q_D(QQuickMenu);
+    // We have to do this to ensure that the change listeners are removed.
+    // It's too late to do this in ~QQuickMenuPrivate, as contentModel has already
+    // been destroyed before that is called.
+    while (d->contentModel->count() > 0)
+        d->removeItem(0, d->itemAt(0));
+}
+
 /*!
     \qmlmethod Item QtQuick.Controls::Menu::itemAt(int index)
 
diff --git a/src/quicktemplates2/qquickmenu_p.h b/src/quicktemplates2/qquickmenu_p.h
index 2646cffa..4a690f9c 100644
--- a/src/quicktemplates2/qquickmenu_p.h
+++ b/src/quicktemplates2/qquickmenu_p.h
@@ -78,6 +78,7 @@ class Q_QUICKTEMPLATES2_PRIVATE_EXPORT QQuickMenu : public QQuickPopup
 
 public:
     explicit QQuickMenu(QObject *parent = nullptr);
+    ~QQuickMenu();
 
     Q_INVOKABLE QQuickItem *itemAt(int index) const;
     Q_INVOKABLE void addItem(QQuickItem *item);