diff options
| author | Mitch Curtis <mitch.curtis@qt.io> | 2019-02-20 15:01:16 +0100 |
|---|---|---|
| committer | Mitch Curtis <mitch.curtis@qt.io> | 2019-02-20 14:15:51 +0000 |
| commit | 9dbe6c6d9ed4d4605f863be8376e502518880aee (patch) | |
| tree | 22a41aaf3afe5e75c0f709b73ab62f293ac951d0 /tests | |
| parent | 3b467b5c5b34795fc4dfcd9cb8822aa3a3d8cf1c (diff) | |
Fix heap-use-after-free in tst_gifs
The return value of qPrintable should not be stored.
The shortened ASAN output:
=================================================================
==23322==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002b4e58 at pc 0x7f8b035f7569 bp 0x7fff7ea38530 sp 0x7fff7ea38520
READ of size 1 at 0x6060002b4e58 thread T0
#0 0x7f8b035f7568 in QMetaObject::indexOfProperty(char const*) const /home/mitch/dev/qt5-dev/qtbase/src/corelib/kernel/qmetaobject.cpp:1015
#1 0x7f8b03687194 in QObject::property(char const*) const /home/mitch/dev/qt5-dev/qtbase/src/corelib/kernel/qobject.cpp:3891
#2 0x55a59f4cc085 in tst_Gifs::checkables() /home/mitch/dev/qt5-dev/qtquickcontrols2/tests/manual/gifs/tst_gifs.cpp:737
0x6060002b4e58 is located 24 bytes inside of 64-byte region [0x6060002b4e40,0x6060002b4e80)
freed by thread T0 here:
#0 0x7f8b0708c7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7f8b02fcc0a2 in QArrayData::deallocate(QArrayData*, unsigned long, unsigned long) /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qarraydata.cpp:167
#2 0x55a59f4cbf5c in QTypedArrayData<char>::deallocate(QArrayData*) /home/mitch/dev/qt5-dev-debug/qtbase/include/QtCore/../../../../qt5-dev/qtbase/src/corelib/tools/qarraydata.h:239
#3 0x55a59f4cbf5c in QByteArray::~QByteArray() /home/mitch/dev/qt5-dev-debug/qtbase/include/QtCore/../../../../qt5-dev/qtbase/src/corelib/tools/qbytearray.h:476
#4 0x55a59f4cbf5c in tst_Gifs::checkables() /home/mitch/dev/qt5-dev/qtquickcontrols2/tests/manual/gifs/tst_gifs.cpp:736
previously allocated by thread T0 here:
#0 0x7f8b0708cf40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
#1 0x7f8b02fcb451 in reallocateData /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qarraydata.cpp:83
#2 0x7f8b02fcbf7f in QArrayData::reallocateUnaligned(QArrayData*, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qarraydata.cpp:146
#3 0x7f8b02fd58fa in QTypedArrayData<char>::reallocateUnaligned(QTypedArrayData<char>*, unsigned long, QFlags<QArrayData::AllocationOption>) ../../include/QtCore/../../../../qt5-dev/qtbase/src/corelib/tools/qarraydata.h:233
#4 0x7f8b02fd58fa in QByteArray::reallocData(unsigned int, QFlags<QArrayData::AllocationOption>) /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qbytearray.cpp:1914
#5 0x7f8b02fd63c1 in QByteArray::resize(int) /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qbytearray.cpp:1875
#6 0x7f8b0373c3a0 in QUtf8::convertFromUnicode(QChar const*, int, QTextCodec::ConverterState*) /home/mitch/dev/qt5-dev/qtbase/src/corelib/codecs/qutfcodec.cpp:456
#7 0x7f8b0373c653 in QUtf8Codec::convertFromUnicode(QChar const*, int, QTextCodec::ConverterState*) const /home/mitch/dev/qt5-dev/qtbase/src/corelib/codecs/qutfcodec.cpp:983
#8 0x7f8b0374918b in QTextCodec::fromUnicode(QStringView) const /home/mitch/dev/qt5-dev/qtbase/src/corelib/codecs/qtextcodec.cpp:846
#9 0x7f8b0311c01a in qt_convert_to_local_8bit /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qstring.cpp:5369
#10 0x7f8b031366cb in QString::toLocal8Bit_helper(QChar const*, int) /home/mitch/dev/qt5-dev/qtbase/src/corelib/tools/qstring.cpp:5359
#11 0x55a59f4cbd70 in QString::toLocal8Bit() && /home/mitch/dev/qt5-dev-debug/qtbase/include/QtCore/../../../../qt5-dev/qtbase/src/corelib/tools/qstring.h:556
#12 0x55a59f4cbd70 in tst_Gifs::checkables() /home/mitch/dev/qt5-dev/qtquickcontrols2/tests/manual/gifs/tst_gifs.cpp:736
Change-Id: I5a967607e7ebff5177261f32222b9f50ee65d35e
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@qt.io>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/manual/gifs/tst_gifs.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tests/manual/gifs/tst_gifs.cpp b/tests/manual/gifs/tst_gifs.cpp index 2a7d55bd..d7d8f98d 100644 --- a/tests/manual/gifs/tst_gifs.cpp +++ b/tests/manual/gifs/tst_gifs.cpp @@ -733,8 +733,8 @@ void tst_Gifs::checkables() for (int i = 0; i < pressIndices.size(); ++i) { const int pressIndex = pressIndices.at(i); - const char *controlId = qPrintable(QString::fromLatin1("control%1").arg(pressIndex + 1)); - QQuickItem *control = window->property(controlId).value<QQuickItem*>(); + const QString controlId = QString::fromLatin1("control%1").arg(pressIndex + 1); + QQuickItem *control = window->property(qPrintable(controlId)).value<QQuickItem*>(); QVERIFY(control); const QPoint pos = control->mapToScene(QPointF(control->width() / 2, control->height() / 2)).toPoint(); |