QStyleSheet/QProxyStyle: Avoid deref after setWindowFlags in polish

When invoking setWindowFlags with a QStyleSheet and QProxyStyle set, a repolish is recursivly done creating a second QStyleSheetStyle in QWidgetPrivate::inheritStyle due to not cleared WA_SetStyle window flag. This leads to a use-after-free in the then following recursive call to QStyle::polish. This patch uses the previously create QStyleSheetStyle in the case that there is already a QStyleSheetStyle for the proxy. Fixes: QTBUG-125513 Pick-to: 6.8 6.7 Change-Id: I841bf68143e893d74ab7373b7a3d3d4ee2bce514 Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@qt.io>
2024-05-30 13:47:58 +02:00 · 2024-05-30 13:47:58 +02:00 · 26af5d1854
commit 26af5d1854
parent a3df8dac90
1 changed files with 3 additions and 1 deletions
--- a/src/widgets/kernel/qwidget.cpp
+++ b/src/widgets/kernel/qwidget.cpp
@ -2725,8 +2725,10 @@ void QWidgetPrivate::inheritStyle()
    // to be running a proxy
    if (!qApp->styleSheet().isEmpty() || qt_styleSheet(parentStyle)) {
        QStyle *newStyle = parentStyle;
-        if (q->testAttribute(Qt::WA_SetStyle))
+        if (q->testAttribute(Qt::WA_SetStyle) && qt_styleSheet(origStyle) == nullptr)
            newStyle = new QStyleSheetStyle(origStyle);
+        else if (auto *styleSheetStyle = qt_styleSheet(origStyle))
+            newStyle = styleSheetStyle;
        else if (QStyleSheetStyle *newProxy = qt_styleSheet(parentStyle))
            newProxy->ref();