Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P2: Important
Fix Version/s: None
Affects Version/s: 1.2.x
Component/s: PySide
Labels:
None

Description

In https://qt.gitorious.org/pyside/pyside/source/master:libpyside/dynamicqmetaobject.cpp#L169 there is a use-after-free bug which the attached patch fixes.

PropertyData::type() returns a new QByteStream (whose `data` is a copy of the `char*` name of the property)
However the use of `type().data()` on the stack without saving its reference means the `char*` returned by the `data()` method is immediately deallocated in the the `~QByteStream` destructor.
(Detected by AddressSanitizer)
The attached patch fixes it by holding a reference to the QByteStream returned by `type()` for the duration of the method call.

diff --git a/libpyside/dynamicqmetaobject.cpp b/libpyside/dynamicqmetaobject.cpp
index 4f9af32..806b4dc 100644
--- a/libpyside/dynamicqmetaobject.cpp
+++ b/libpyside/dynamicqmetaobject.cpp
@@ -166,7 +166,8 @@ static bool isQRealType(const char *type)
 
 uint PropertyData::flags() const
 {
-    const char* typeName = type().data();
+    const QByteArray btype(type());
+    const char* typeName = btype.data();
     uint flags = Invalid;
     if (!isVariantType(typeName))
          flags |= EnumOrFlag;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

0001-Fix-user-after-free-in-QProperty.patch
0.8 kB
10 Jan '14 14:40

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Christian Tismer

Reporter:: Pankaj Pandey

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10 Jan '14 14:40

Updated:: 05 Mar '17 10:46

Resolved:: 05 Mar '17 10:46

Gerrit Reviews

There are no open Gerrit changes