A default-constructed QJsonObject has no data payload, it is only a pair of null
pointers. So, when it becomes necessary to 'materialize' such an object, a
special global emptyObject constant is used as the substitute payload. There is
a small problem with this global constant though, namely that it's is_object
flag is unset. In other words, the emptyObject is not an object, but an array.
Fix by setting the is_object flag on emptyObject.
The example code in the bug report
QJsonObject parent;
QJsonObject child;
parent["child"] = child; // 1
child = parent["child"].toObject(); // 2
child["test"] = "test"; // 3
runs into this problem on line 1. Inserting the default-constructed child means
inserting a copy of emptyObject. On line 2 a pointer to this copy of emptyObject
is retrieved and cast to an object. But it's not an object, it's an array, so
things go wrong hereafter.
Specifically, on line 3, two inserts are performed, one from operator[] and one
from operator=. Each insert increments a compaction counter. The second insert
triggers compaction (QJsonObject::insert calls Value::requiredStorage calls
Data::compact) and compaction branches based on the is_object flag. Replacing
line 3 with
child.insert("test", "test");
causes the example to appear to work since compaction is not triggered and the
JSON serializer does not look at the is_object flag. Still, any further insert()
calls would trigger compaction and memory corruption.
Task-number: QTBUG-69626
Change-Id: I8bd5174dce95998bac479c4b4ffea70bca1a4d04
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
f43e947dc4