|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-picked a70b8d407e1ca46e5dc208580534feee7ddfe51a from
Qt5's qtbase master branch.
Maintain the consistency of QWizardPrivate's two members:
QVector<QWizardField> fields;
QMap<QString, int> fieldIndexMap;
during and after calls to QWizardPrivate's
void _q_handleFieldObjectDestroyed(QObject *)
member function. The failure to maintain this consistency
caused an out of bounds access and core dump in
QWizard's field(const QString &name) member function.
QWizard's field(const QString &name) member function expects
the values in the QMap fieldIndexMap to be indexes into the
QVector fields. Prior to this change
_q_handleFieldObjectDestroyed only removed the appropriate
entry from the map and erased it from the vector. It did
not decrement by one all the indexes greater than the index
that was removed from the map and erased from the vector
in the rest of the map.
For example ...
So if initially have the following mapping ...
"field0" -> 0,
"field1" -> 1, and
"field2" -> 2
with fields of size 3. After destruction of "field1" have ...
"field0" -> 0, and
"field2" -> 2
with fields of size 2.
Now attempts to look up "field2" using QWizard::field will
have an out of bounds error and possibly core dump or trigger
an internal Qt assert because an attempt to access
this->fields[2] will be made. It should be accessing
this->fields[1], but does not because the map is no longer
consistent with the vector.
This change adds a decrement by one for all the indexes
greater than the index that was removed from the map and
erased from the vector.
Task-number: QTBUG-25691
Change-Id: Ia2a41027628a65faec4ecdd5da235ddd19746a57
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Reviewed-by: Girish Ramakrishnan <girish.1.ramakrishnan@nokia.com>
|