Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P3: Somewhat important
Fix Version/s: 5.12.10, 5.15.2
Affects Version/s: 5.12, 5.15
Component/s: XML: DOM
Labels:
- reported_by_support_standard

Platform/s:

Windows
Commits:
af22ccf5605c6b7b20b845fb2b4003d3f56d8bc9 (qt/qtbase/dev) c7e5f92aac16c83611c6b106fbdf311d0a474548 (qt/qtbase/5.15) 0692398b0b1ce505d8d84791dfd99c390c8ecf69 (qt/qtbase/5.12)

Description

When QDomAttr::setNodeValue is called, it causes double memory release, hence
the program halts and produces the following message.

HEAP[QDomAttr_DoubleRelease.exe]: HEAP: Free Heap block 0000023C5B729CE0 modified at 0000023C5B729D28 after it was freed

The problem seems to come from the following part in qdom.cpp.

void QDomAttrPrivate::setNodeValue(const QString& v)
{
    value = v;
    QDomTextPrivate *t = new QDomTextPrivate(nullptr, this, v);
    // keep the refcount balanced: appendChild() does a ref anyway.
    t->ref.deref();
    if (first) {
        delete removeChild(first);  // <--- This deletes without checking the reference count of the return value of removeChild
    }
    appendChild(t);
}

The attached patch qtbug86547.patch seems to fix the problem in Qt5.12.7.
It'd be nice to have a fix in Qt5.15 series.

How to reproduce the problem
Run QDomAttr_DoubleRelease.zip