`QVariant::convert` may lead to crash or produce garbage data when
attempting to convert a gadget between a pointer type and a value type,
for example from a variant holding a QLocale gadget to a QLocale*
pointer and vice versa. Similarly, `QVariant::view` may crash under the
same conditions.
The reason is that conversion is implemented through copy construction
assuming that both source and target types are either both pointers or
both values. If converting from pointer to value type, the result is
crash during destruction of the QVariant. If converting from value to
pointer type, the result is a QVariant holding a pointer to garbage
data (and possibly crash if pointer is dereferenced).
Similarly, if attempting to convert a pointer to a QObject derived type
to its value type, the system crashes, with a slightly different failure
mode. During `QVariant::convert`, a temporary `QVariant` of the target
type is created. Since objects that can not be copy constructed are
invalid for `QVariant`, the temporary is left empty without constructing
the target value. Then, when attempting to convert from a pointer type
to a value type, the temporary's destructor is incorrectly called on the
owned object. Since the owned object is never constructed, this leads to
a crash.
The proposed fix is to return false from `QMetaType::view`,
`QMetaType::canView`, `QMetaType::convert`, and `QMetaType::canConvert`
if the target type is of different 'pointedness' than the source type.
After this fix, converting and viewing gadgets and QObjects behaves the
same way as primitive types and core types, which already returned false
when converting between value type and pointer type.
Fixes: QTBUG-114797
Pick-to: 6.5 6.6
Change-Id: If5ad764a60f2f3c912070198073b28999d995f17
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
a8792feaaa