updateObjects() in qtbase/src/widgets/styles/qstylesheetstyle.cpp can cause a segmentation fault.

This happens because updateObjects processes a list of all children and grandchildren of an object. It iterates over each object and announces a StyleChange event for each one of them. If an object reacts on this StyleChange event by (among other things) deleting one of its children, the list that updateObjects received will end up with an invalid element, and because the loop will eventually reach that element the program will crash.

This 25-line program will trigger the bug:

#include <QApplication>
#include <QLabel>
#include <QSplitter>
#include <QMainWindow>

int main(int argc, char *argv[])
{
    QApplication a(argc, argv);
    QMainWindow w;
    QSplitter* splitter1 = new QSplitter(w.centralWidget());
    QSplitter* splitter2 = new QSplitter;
    QSplitter* splitter3 = new QSplitter;
    splitter2->addWidget(splitter3);

    splitter2->setStyleSheet("a { b:c; }");
    QLabel *label = new QLabel;
    label->setTextFormat(Qt::RichText);
    splitter3->addWidget(label);
    label->setText("hey");

    splitter1->addWidget(splitter2);
    w.show();

    return a.exec();
}

In this code example splitter3's QSplitter::changeEvent() will execute. When that happens, a grandchild to the QLabel, a QTextFrame, will be deleted and replaced. That's element 0 in the list. At index 6 we have a pointer to the old QTextFrame, and that's what will crash the application.