Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-69204

QStyleSheetStyle updateObjects() can cause segmentation faults

    XMLWordPrintable

Details

    • Linux/X11, macOS, Windows
    • 21dcb96ddca357a6e8ace4b1c7252ec465e77727 (qt/qtbase/5.12)

    Description

      updateObjects() in qtbase/src/widgets/styles/qstylesheetstyle.cpp can cause a segmentation fault.

      This happens because updateObjects processes a list of all children and grandchildren of an object. It iterates over each object and announces a StyleChange event for each one of them. If an object reacts on this StyleChange event by (among other things) deleting one of its children, the list that updateObjects received will end up with an invalid element, and because the loop will eventually reach that element the program will crash.

      This 25-line program will trigger the bug:

      #include <QApplication>
      #include <QLabel>
      #include <QSplitter>
      #include <QMainWindow>
      
      int main(int argc, char *argv[])
      {
          QApplication a(argc, argv);
          QMainWindow w;
          QSplitter* splitter1 = new QSplitter(w.centralWidget());
          QSplitter* splitter2 = new QSplitter;
          QSplitter* splitter3 = new QSplitter;
          splitter2->addWidget(splitter3);
      
          splitter2->setStyleSheet("a { b:c; }");
          QLabel *label = new QLabel;
          label->setTextFormat(Qt::RichText);
          splitter3->addWidget(label);
          label->setText("hey");
      
          splitter1->addWidget(splitter2);
          w.show();
      
          return a.exec();
      }
      

      In this code example splitter3's QSplitter::changeEvent() will execute. When that happens, a grandchild to the QLabel, a QTextFrame, will be deleted and replaced. That's element 0 in the list. At index 6 we have a pointer to the old QTextFrame, and that's what will crash the application.

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-69204
          # Subject Branch Project Status CR V

          Activity

            People

              frederik Frederik Gladhorn
              vuxen Mazen Mardini
              Votes:
              11 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes