Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: P1: Critical
Fix Version/s: 5.13.1, 5.14.0 Alpha
Affects Version/s: 5.13.0
Component/s: GUI: Painting
Labels:
None

Platform/s:

All
Commits:
2ce4a9f48705095669cb74c8de9d8a72f9d49b0e (qt/qtbase/5.13)

Description

The following will crash:

QPainterPath p;
p.reserve(42);

This is because QPainterPath's default constructor doesn't create a d-pointer, but the QPainterPath::reserve() will still try to access it:

void QPainterPath::reserve(int size)
{
    Q_D(QPainterPath);
    if ((!d && size > 0) || (d && d->elements.capacity() < size)) {
        // Here d is null, but it will be dereferenced in both detach() and in the line after
        detach();
        d->elements.reserve(size);
    }
}

Maybe we're not supposed to call reserve on a fully empty QPainterPath, but the documentation doesn't mention this, and it is quite easy to make it crash...

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Eirik Aavitsland

Reporter:: Romain Moret

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 19 Jun '19 12:18

Updated:: 27 Jun '19 20:53

Resolved:: 21 Jun '19 09:29

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

Fix crash in QPainterPath::reserve(): Gerrit Review: