Details
-
Bug
-
Resolution: Done
-
P3: Somewhat important
-
5.12, 5.15
-
Windows
-
af22ccf5605c6b7b20b845fb2b4003d3f56d8bc9 (qt/qtbase/dev) c7e5f92aac16c83611c6b106fbdf311d0a474548 (qt/qtbase/5.15) 0692398b0b1ce505d8d84791dfd99c390c8ecf69 (qt/qtbase/5.12)
Description
When QDomAttr::setNodeValue is called, it causes double memory release, hence
the program halts and produces the following message.
HEAP[QDomAttr_DoubleRelease.exe]: HEAP: Free Heap block 0000023C5B729CE0 modified at 0000023C5B729D28 after it was freed
The problem seems to come from the following part in qdom.cpp.
void QDomAttrPrivate::setNodeValue(const QString& v) { value = v; QDomTextPrivate *t = new QDomTextPrivate(nullptr, this, v); // keep the refcount balanced: appendChild() does a ref anyway. t->ref.deref(); if (first) { delete removeChild(first); // <--- This deletes without checking the reference count of the return value of removeChild } appendChild(t); }
The attached patch qtbug86547.patch
seems to fix the problem in Qt5.12.7.
It'd be nice to have a fix in Qt5.15 series.
How to reproduce the problem
Run QDomAttr_DoubleRelease.zip
Attachments
| For Gerrit Dashboard: QTBUG-86547 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 314425,3 | Fix a double deletion in QDomAttr::setNodeValue() | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 314503,2 | Fix a double deletion in QDomAttr::setNodeValue() | 5.12 | qt/qtbase | Status: MERGED | +2 | 0 |
| 314504,2 | Fix a double deletion in QDomAttr::setNodeValue() | 5.15 | qt/qtbase | Status: MERGED | +2 | 0 |