1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix invalid memory access when a slot deletes the sender.

Browse Source 
Only happens with active signal spy callbacks. The Connection object can
be deleted when returning from the slot here, so accessing it for the
method index for the signal end callback will access invalid memory.

Change-Id: I44643a171863c35a94e7a5ffa096fcaac5abd509
Reviewed-by: Milian Wolff <milian.wolff@kdab.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
This commit is contained in:
Volker Krause 2015-01-21 22:20:26 +01:00
parent c8c68ecb8f
commit 0c4c841ce8
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/corelib/kernel/qobject.cpp
View File

@ -3710,13 +3710,14 @@ void QMetaObject::activate(QObject *sender, int signalOffset, int local_signal_i
} else if (callFunction && c->method_offset <= receiver->metaObject()->methodOffset()) {
//we compare the vtable to make sure we are not in the destructor of the object.
locker.unlock();
const int methodIndex = c->method();
if (qt_signal_spy_callback_set.slot_begin_callback != 0)
qt_signal_spy_callback_set.slot_begin_callback(receiver, c->method(), argv ? argv : empty_argv);
qt_signal_spy_callback_set.slot_begin_callback(receiver, methodIndex, argv ? argv : empty_argv);
callFunction(receiver, QMetaObject::InvokeMetaMethod, method_relative, argv ? argv : empty_argv);
if (qt_signal_spy_callback_set.slot_end_callback != 0)
qt_signal_spy_callback_set.slot_end_callback(receiver, c->method());
qt_signal_spy_callback_set.slot_end_callback(receiver, methodIndex);
locker.relock();
} else {
const int method = method_relative + c->method_offset;