-
Bug
-
Resolution: Done
-
P1: Critical
-
5.15.2
-
None
-
All
-
c47bb4478a4c3a29c0505d7d89755f40601b326f (qt/qtbase/dev) d3b24a14bb9e6c258e9183dc05893020d81c9a9f (qt/qtbase/6.0) 466177c9112de8b7a0bd0994767e8dfb8034d67f (qt/qtbase/6.1) ce61defc4d2c611c15eeffd3070a0e71f4373550 (qt/tqtc-qtbase/5.15)
The function QGridLayout::itemAt does not check for negative index and will return an invalid pointer as a result. This also affects QGridLayout::takeAt. Notice that the code in the below only checks the upper bound, it should also check for index >= 0.
qtbase/src/widgets/kernel/qgridlayout.cpp, Lines 151-172
inline QLayoutItem *itemAt(int index) const {
if (index < things.count())
return things.at(index)->item();
else
return 0;
}
inline QLayoutItem *takeAt(int index) {
Q_Q(QGridLayout);
if (index < things.count()) {
if (QGridBox *b = things.takeAt(index)) {
QLayoutItem *item = b->takeItem();
if (QLayout *l = item->layout()) {
// sanity check in case the user passed something weird to QObject::setParent()
if (l->parent() == q)
l->setParent(0);
}
delete b;
return item;
}
}
return 0;
}
| For Gerrit Dashboard: QTBUG-91261 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 335615,5 | Fix invalid pointer return with QGridLayout::itemAt(-1) | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 340054,2 | Fix invalid pointer return with QGridLayout::itemAt(-1) | 6.1 | qt/qtbase | Status: MERGED | +2 | 0 |
| 340055,2 | Fix invalid pointer return with QGridLayout::itemAt(-1) | 6.0 | qt/qtbase | Status: MERGED | +2 | 0 |
| 340058,2 | Fix invalid pointer return with QGridLayout::itemAt(-1) | tqtc/lts-5.15 | qt/tqtc-qtbase | Status: MERGED | +2 | 0 |