From 7537526093c92e89672d1e952a9baceecaa91730 Mon Sep 17 00:00:00 2001
From: Kirill Burtsev <kirill.burtsev@qt.io>
Date: Mon, 11 Feb 2019 19:21:03 +0100
Subject: Remove download properly on profile destruction to avoid use after
 free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In the Widgets API, download items are children of the profile and are
destroyed when the parent profile destroys its children. The download
item's destructor can therefore not access the profile, as it would
cause a heap-use-after-free crashes. On quick side turn ongoing downloads
cleanup to match widgets one.

Fixes: QTBUG-73839
Change-Id: Iabb379e91187e3e68ebcd4693fec35883b72b1f2
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../tst_qwebenginedownloaditem.cpp                 | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'tests/auto/widgets/qwebenginedownloaditem/tst_qwebenginedownloaditem.cpp')

diff --git a/tests/auto/widgets/qwebenginedownloaditem/tst_qwebenginedownloaditem.cpp b/tests/auto/widgets/qwebenginedownloaditem/tst_qwebenginedownloaditem.cpp
index 2af818928..b30fc7258 100644
--- a/tests/auto/widgets/qwebenginedownloaditem/tst_qwebenginedownloaditem.cpp
+++ b/tests/auto/widgets/qwebenginedownloaditem/tst_qwebenginedownloaditem.cpp
@@ -69,6 +69,7 @@ private Q_SLOTS:
     void downloadFileNot1();
     void downloadFileNot2();
     void downloadDeleted();
+    void downloadDeletedByProfile();
 
 private:
     void saveLink(QPoint linkPos);
@@ -812,5 +813,36 @@ void tst_QWebEngineDownloadItem::downloadDeleted()
     QTRY_COMPARE(finishedCount, 1);
 }
 
+void tst_QWebEngineDownloadItem::downloadDeletedByProfile()
+{
+    m_server->setExpectError(true);
+
+    QPointer<QWebEngineProfile> profile(new QWebEngineProfile);
+    profile->setHttpCacheType(QWebEngineProfile::NoCache);
+    profile->settings()->setAttribute(QWebEngineSettings::AutoLoadIconsForPage, false);
+
+    bool downloadFinished = false;
+    QPointer<QWebEngineDownloadItem> downloadItem;
+    connect(profile, &QWebEngineProfile::downloadRequested, [&] (QWebEngineDownloadItem *item) {
+        connect(item, &QWebEngineDownloadItem::finished, [&] () {
+            downloadFinished = true;
+        });
+        downloadItem = item;
+        item->accept();
+    });
+
+    QPointer<QWebEnginePage> page(new QWebEnginePage(profile));
+    page->download(m_server->url(QByteArrayLiteral("/file")));
+
+    QTRY_COMPARE(downloadItem.isNull(), false);
+    QVERIFY(downloadItem);
+
+    page->deleteLater();
+    profile->deleteLater();
+
+    QTRY_COMPARE(downloadFinished, true);
+    QTRY_COMPARE(downloadItem.isNull(), true);
+}
+
 QTEST_MAIN(tst_QWebEngineDownloadItem)
 #include "tst_qwebenginedownloaditem.moc"
-- 
cgit v1.2.3