Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.5.1, 6.5
-
Linux/X11
-
f6735dba9 (dev), 76bf33115 (6.6), a67e0a6e5 (6.5)
Description
Creating debug output using console.log() (or any of it's friends) from a QML component which has been converted into C++ using qmlcachegen results in a heap-use-after-free during execution.
The problem was introduced while implementing https://bugreports.qt.io/browse/QTBUG-107175 and can be found here: https://code.qt.io/cgit/qt/qtdeclarative.git/tree/src/qml/qml/qqml.cpp?h=v6.5.1#n1323
QMessageLogger logger(qUtf8Printable(frame->source()), frame->lineNumber(),
qUtf8Printable(frame->function()), loggingCategory->categoryName());
switch (type) {
case QtDebugMsg:
logger.debug("%s", qUtf8Printable(message));
break;
When calling the constructor of QMessageLogger qUtf8Printable is called. The resulting const char Pointer from qUtf8Printable() is defined to be invalid after this line.
QMessageLogger saves the pointers in it's QMessageLogContext and they will be accessed in case the function or filename should be printed.
// Shows how to set the messagePattern in order to print file and function QString messagePattern; messagePattern += "%{if-debug}DEBG%{endif}" "%{if-info}INFO%{endif}" "%{if-warning}WARN%{endif}" "%{if-critical}CRIT%{endif}" "%{if-fatal}FATL%{endif}" ".%{category}\t; %{threadid}; %{file}:%{line}; %{function}(); %{message}"; qSetMessagePattern(messagePattern);
Fix:
The resulting pointers from qUtf8Printable(frame->source()) and qUtf8Printable(frame->function()) must not be saved as they are temporary!