QGraphicsScene: Fix UB (invalid cast) in removeItemHelper()

The variable 'item' may or may not contain a QGraphicsObject
pointer. Using static_cast on an 'item' that isn't, is UB.

Found by UBSan (which failed to print a message, but the
function names gave it away):

  [...]
  #6  <signal handler called>
  #7  0x00002b18813bec05 in __ubsan::checkDynamicType(void*, void*, unsigned long) () from /opt/gcc/trunk/lib64/libubsan.so.0
  #8  0x00002b18813be0c3 in HandleDynamicTypeCacheMiss(__ubsan::DynamicTypeCacheMissData*, unsigned long, unsigned long, __ubsan::ReportOptions) () from /opt/gcc/trunk/lib64/libubsan.so.0
  #9  0x00002b18813be783 in __ubsan_handle_dynamic_type_cache_miss () from /opt/gcc/trunk/lib64/libubsan.so.0
  #10 0x00002b1875e71d4d in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:720
  #11 0x00002b1875e731ef in QGraphicsScene::removeItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2929
  #12 0x00002b1875e6d05f in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:604
  #13 0x00002b1875e731ef in QGraphicsScene::removeItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2929
  #14 0x00002b1875e73e68 in QGraphicsScene::addItem(QGraphicsItem*) () at /home/marc/Qt/qt5/qtbase/src/widgets/graphicsview/qgraphicsscene.cpp:2505
  #15 0x000000000043d34d in tst_QGraphicsWidget::fontPropagationSceneChange() () at /home/marc/Qt/qt5/qtbase/tests/auto/widgets/graphicsview/qgraphicswidget/tst_qgraphicswidget.cpp:941
  [...]

Fix by using QGraphicsItem::toGraphicsObject().
Yes, it's that simple...

Change-Id: If04d1b62603cfd808cc7b64946da536c221a0c11
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>

This commit is contained in:

Marc Mutz

2016-09-20 15:32:17 +02:00

parent abe8b4ab9b

commit f6cb8b1af8

1 changed files with 1 additions and 1 deletions

									
										2

src/widgets/graphicsview/qgraphicsscene.cpp
									
										View File
										
				@ -710,7 +710,7 @@ void QGraphicsScenePrivate::removeItemHelper(QGraphicsItem *item)

				            ++it;

				    }

				    QGraphicsObject *dummy = static_cast<QGraphicsObject *>(item);

				    QGraphicsObject *dummy = item->toGraphicsObject();

				    cachedTargetItems.removeOne(dummy);

				    cachedItemGestures.remove(dummy);

				    cachedAlreadyDeliveredGestures.remove(dummy);

QGraphicsScene: Fix UB (invalid cast) in removeItemHelper()

2 src/widgets/graphicsview/qgraphicsscene.cpp Unescape Escape View File

2

src/widgets/graphicsview/qgraphicsscene.cpp

View File