From 26af5d1854336907d6d7fd6aa1ad060f6d38ce1c Mon Sep 17 00:00:00 2001 From: Wladimir Leuschner Date: Thu, 30 May 2024 13:47:58 +0200 Subject: [PATCH] QStyleSheet/QProxyStyle: Avoid deref after setWindowFlags in polish When invoking setWindowFlags with a QStyleSheet and QProxyStyle set, a repolish is recursivly done creating a second QStyleSheetStyle in QWidgetPrivate::inheritStyle due to not cleared WA_SetStyle window flag. This leads to a use-after-free in the then following recursive call to QStyle::polish. This patch uses the previously create QStyleSheetStyle in the case that there is already a QStyleSheetStyle for the proxy. Fixes: QTBUG-125513 Pick-to: 6.8 6.7 Change-Id: I841bf68143e893d74ab7373b7a3d3d4ee2bce514 Reviewed-by: Richard Moe Gustavsen --- src/widgets/kernel/qwidget.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/widgets/kernel/qwidget.cpp b/src/widgets/kernel/qwidget.cpp index 46e0d2c76c7..0af28e3cfd5 100644 --- a/src/widgets/kernel/qwidget.cpp +++ b/src/widgets/kernel/qwidget.cpp @@ -2725,8 +2725,10 @@ void QWidgetPrivate::inheritStyle() // to be running a proxy if (!qApp->styleSheet().isEmpty() || qt_styleSheet(parentStyle)) { QStyle *newStyle = parentStyle; - if (q->testAttribute(Qt::WA_SetStyle)) + if (q->testAttribute(Qt::WA_SetStyle) && qt_styleSheet(origStyle) == nullptr) newStyle = new QStyleSheetStyle(origStyle); + else if (auto *styleSheetStyle = qt_styleSheet(origStyle)) + newStyle = styleSheetStyle; else if (QStyleSheetStyle *newProxy = qt_styleSheet(parentStyle)) newProxy->ref();