Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
5.13.0
-
None
-
-
2ce4a9f48705095669cb74c8de9d8a72f9d49b0e (qt/qtbase/5.13)
Description
The following will crash:
QPainterPath p; p.reserve(42);
This is because QPainterPath's default constructor doesn't create a d-pointer, but the QPainterPath::reserve() will still try to access it:
void QPainterPath::reserve(int size) { Q_D(QPainterPath); if ((!d && size > 0) || (d && d->elements.capacity() < size)) { // Here d is null, but it will be dereferenced in both detach() and in the line after detach(); d->elements.reserve(size); } }
Maybe we're not supposed to call reserve on a fully empty QPainterPath, but the documentation doesn't mention this, and it is quite easy to make it crash...
Attachments
For Gerrit Dashboard: QTBUG-76516 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
265641,2 | Fix crash in QPainterPath::reserve() | 5.13 | qt/qtbase | Status: MERGED | +2 | 0 |