Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.10
-
None
-
78a46bf16 (dev), b22343712 (6.9), fbc7223df (6.8)
Description
These are the streaming operators for QEasingCurve:
QDataStream &operator<<(QDataStream &stream, const QEasingCurve &easing) { stream << quint8(easing.d_ptr->type); stream << quint64(quintptr(easing.d_ptr->func)); // <-- HERE bool hasConfig = easing.d_ptr->config; stream << hasConfig; if (hasConfig) { stream << easing.d_ptr->config; } return stream; } QDataStream &operator>>(QDataStream &stream, QEasingCurve &easing) { QEasingCurve::Type type; quint8 int_type; stream >> int_type; type = static_cast<QEasingCurve::Type>(int_type); easing.setType(type); quint64 ptr_func; stream >> ptr_func; easing.d_ptr->func = QEasingCurve::EasingFunction(quintptr(ptr_func)); // <-- HERE bool hasConfig; stream >> hasConfig; delete easing.d_ptr->config; easing.d_ptr->config = nullptr; if (hasConfig) { QEasingCurveFunction *config = curveToFunctionObject(type); stream >> config; easing.d_ptr->config = config; } return stream; }
The lines marked // <-- HERE stream out a function pointer as an integer and then try to set it back to what it was.
Needless to say, unless this happens in the very same process, this will never work, and will instead crash a program.
I propose to delete these operators (API/ABI break) since we can't keep backwards compatibility anyhow, and QDataStream does not have a way to signal protocol errors.
Attachments
| For Gerrit Dashboard: QTBUG-132575 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 619028,1 | QEasingCurve: fix (de)serialization in QDataStream | tqtc/lts-6.5 | qt/tqtc-qtbase | Status: NEW | +2 | 0 |
| 615346,4 | QEasingCurve: fix (de)serialization in QDataStream | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 618849,2 | QEasingCurve: fix (de)serialization in QDataStream | 6.9 | qt/qtbase | Status: MERGED | +2 | 0 |
| 618953,2 | QEasingCurve: fix (de)serialization in QDataStream | 6.8 | qt/qtbase | Status: MERGED | +2 | 0 |