summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThiago Macieira <thiago.macieira@nokia.com>2010-05-03 11:22:09 (GMT)
committerThiago Macieira <thiago.macieira@nokia.com>2010-05-03 14:04:27 (GMT)
commit3d852917187e29892529ab51d24c1a1177068a88 (patch)
tree42e68340f6d2de2fcbd652ec10ab06c2f207cbbd
parent56a0c1d1e2868aa1bba421f16e4f917373f574ff (diff)
downloadQt-3d852917187e29892529ab51d24c1a1177068a88.zip
Qt-3d852917187e29892529ab51d24c1a1177068a88.tar.gz
Qt-3d852917187e29892529ab51d24c1a1177068a88.tar.bz2
QMap: make sure we never access forward and backward through typed Node structs
See the comment in the file why. Reviewed-By: Olivier Goffart
-rw-r--r--src/corelib/tools/qmap.h20
1 files changed, 20 insertions, 0 deletions
diff --git a/src/corelib/tools/qmap.h b/src/corelib/tools/qmap.h
index df0ae46..5696ba6 100644
--- a/src/corelib/tools/qmap.h
+++ b/src/corelib/tools/qmap.h
@@ -125,6 +125,10 @@ template <class Key, class T>
struct QMapNode {
Key key;
T value;
+
+private:
+ // never access these members through this structure.
+ // see below
QMapData::Node *backward;
QMapData::Node *forward[1];
};
@@ -134,6 +138,22 @@ struct QMapPayloadNode
{
Key key;
T value;
+
+private:
+ // QMap::e is a pointer to QMapData::Node, which matches the member
+ // below. However, the memory allocation node in QMapData::node_create
+ // allocates sizeof(QMapPayloNode) and incorrectly calculates the offset
+ // of 'backward' below. If the alignment of QMapPayloadNode is larger
+ // than the alignment of a pointer, the 'backward' member is aligned to
+ // the end of this structure, not to 'value' above, and will occupy the
+ // tail-padding area.
+ //
+ // e.g., on a 32-bit archictecture with Key = int and
+ // sizeof(T) = alignof(T) = 8
+ // 0 4 8 12 16 20 24 byte
+ // | key | PAD | value |backward| PAD | correct layout
+ // | key | PAD | value | |backward| how it's actually used
+ // |<----- value of QMap::payload() = 20 ----->|
QMapData::Node *backward;
};