Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-76516

Crash when calling QPainterPath::reserve() on an uninitialized QPainterPath

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.13.0
    • Fix Version/s: 5.13.1, 5.14.0 Alpha
    • Component/s: GUI: Painting
    • Labels:
      None
    • Platform/s:
      All
    • Commits:
      2ce4a9f48705095669cb74c8de9d8a72f9d49b0e (qt/qtbase/5.13)

      Description

      The following will crash:

       

      QPainterPath p;
      p.reserve(42);
      

       

      This is because QPainterPath's default constructor doesn't create a d-pointer, but the QPainterPath::reserve() will still try to access it:

      void QPainterPath::reserve(int size)
      {
          Q_D(QPainterPath);
          if ((!d && size > 0) || (d && d->elements.capacity() < size)) {
              // Here d is null, but it will be dereferenced in both detach() and in the line after
              detach();
              d->elements.reserve(size);
          }
      }

       

      Maybe we're not supposed to call reserve on a fully empty QPainterPath, but the documentation doesn't mention this, and it is quite easy to make it crash...

       

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              vgt Eirik Aavitsland
              Reporter:
              moretromain Romain Moret
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes