96e1381a0a
QObjectPrivate::getPropertyAdaptorSlotObject called connectionsForSignal. Calling this function is only safe after it has been ensured beforehand that the vector has size > signalIndex. As getPropertyAdaptorSlotObject is not supposed to modify the vector, it does not resize the vector and it could consequently end up with an out-of-bounds read. To avoid that issue, we instead first check if the vector can potentially contain an entry for the signal. If not, we simply return nullptr, and avoid the call to connectionsForSignal. The issue and its fix can be verified by running the modified tst_qproperty test with ASAN enabled. The test is modified in the following way: - We first create a signal connection to a dummy slot. Otherwise, connections.loadRelaxed() would return a nullptr, and the problematic code would never be reached. - We add enough signals to ensure that the fooChanged signal will actually be out of reach (which means >= 8 signals, as the initial capacity of the vector is 8) Running the test without ASAN will most likely not result in a failure, as then the out-of-bounds read will simply read garbage, and the most likely result is that the cast below will fail. Pick-to: 6.6 6.5 Change-Id: I18a3c4f52769c2b6491a685abb84f6fcfb44e4d8 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io> |
||
---|---|---|
.github/workflows | ||
bin | ||
cmake | ||
coin | ||
config.tests | ||
dist | ||
doc | ||
examples | ||
lib | ||
libexec | ||
LICENSES | ||
mkspecs | ||
qmake | ||
src | ||
tests | ||
util | ||
.cmake.conf | ||
.gitattributes | ||
.gitignore | ||
.lgtm.yml | ||
.tag | ||
CMakeLists.txt | ||
config_help.txt | ||
configure | ||
configure.bat | ||
configure.cmake | ||
dependencies.yaml | ||
qt_cmdline.cmake | ||
sync.profile |