QVariant: Fix crash when comparing two variant with the same undefined type.

If the type is the same, but not registered, the returned string could be
null (or empty if a empty string was registered)
In that case, QVariant compare() function  would access invalid memory.

Protect against that case. qstrcmp returns 0 if 0 is given as a parametter.

Task-number: QTBUG-8700
Reviewed-by: Markus Goetz

2 files changed, 6 insertions, 1 deletions

diff --git a/src/corelib/kernel/qvariant.cpp b/src/corelib/kernel/qvariant.cpp
index e1b5825..95b2352 100644
--- a/src/corelib/kernel/qvariant.cpp
+++ b/src/corelib/kernel/qvariant.cpp
@@ -466,7 +466,8 @@ static bool compare(const QVariant::Private *a, const QVariant::Private *b)
      * QMetaType::VoidStar, QMetaType::QObjectStar and so forth, is that it wouldn't include
      * user defined pointer types. */
     const char *const typeName = QMetaType::typeName(a->type);
-    if (typeName[qstrlen(typeName) - 1] == '*')
+    uint typeNameLen = qstrlen(typeName);
+    if (typeNameLen > 0 && typeName[typeNameLen - 1] == '*')
         return *static_cast<void *const *>(a_ptr) == *static_cast<void *const *>(b_ptr);
 
     return a_ptr == b_ptr;
diff --git a/tests/auto/qvariant/tst_qvariant.cpp b/tests/auto/qvariant/tst_qvariant.cpp
index a316dda..b7e2c81 100644
--- a/tests/auto/qvariant/tst_qvariant.cpp
+++ b/tests/auto/qvariant/tst_qvariant.cpp
@@ -1968,6 +1968,10 @@ void tst_QVariant::operator_eq_eq_data()
 
         QTest::newRow("HashSecondLarger") << QVariant(hash1) << QVariant(hash2) << false;
     }
+
+    QTest::newRow( "UserType" ) << QVariant(QVariant::UserType) << QVariant(QVariant::UserType) << false;
+    QVariant mUserType(QVariant::UserType);
+    QTest::newRow( "Shared UserType" ) << mUserType << mUserType << true;
 }
 
 void tst_QVariant::operator_eq_eq()