Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.4.1, 5.5.0
-
None
-
Windows 7 64-bit
-
4c3fa449acfc7ec43f3b2c53318c2838ceba5a86 (qtbase/5.5, 26.8.2015, 5.5.1)
Description
A crash occurs in QWindowsWindow::setDropSiteEnabled when the window is destroyed. CoLockObjectExternal is referencing m_dropTarget after its refcount has already been dropped to zero and the object has been released. The crash message is an unhandled exception in ole32.dll, access violation reading location 0xFFFFFFFFFFFFFFFF.
I have confirmed that the crash is resolved by first unlocking the object and then releasing it, and I have attached the appropriate patch.
I have not attempted to find the minimal application code required to reproduce the issue, but in our application it occurs when clicking the close button on the window. I discovered the issue using Qt 5.4.1, however from inspecting the code in 5.5.0, I see the same problem is present.
Interestingly, the very same problem of calling CoLockObjectExternal in the wrong order was discovered and fixed several years ago in a similar bit of code, see QTBUG-13237.
Attachments
Issue Links
- relates to
-
QTBUG-13237 Crash in QWidgetPrivate::unregisterOleDnd() when dropTarget->Release() decrements reference count to zero
- Closed
For Gerrit Dashboard: QTBUG-47737 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
123536,2 | Fix potential crash in QWindowsWindow::setDropSiteEnabled(). | 5.5 | qt/qtbase | Status: MERGED | +2 | 0 |