From a4d7572059b5b56d49d7e0c3f3466686e1dc6e16 Mon Sep 17 00:00:00 2001 From: Olivier Goffart Date: Wed, 3 Mar 2010 20:47:13 +0100 Subject: QVariant: Fix crash when comparing two variant with the same undefined type. If the type is the same, but not registered, the returned string could be null (or empty if a empty string was registered) In that case, QVariant compare() function would access invalid memory. Protect against that case. qstrcmp returns 0 if 0 is given as a parametter. Task-number: QTBUG-8700 Reviewed-by: Markus Goetz --- src/corelib/kernel/qvariant.cpp | 3 ++- tests/auto/qvariant/tst_qvariant.cpp | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/corelib/kernel/qvariant.cpp b/src/corelib/kernel/qvariant.cpp index e1b5825..95b2352 100644 --- a/src/corelib/kernel/qvariant.cpp +++ b/src/corelib/kernel/qvariant.cpp @@ -466,7 +466,8 @@ static bool compare(const QVariant::Private *a, const QVariant::Private *b) * QMetaType::VoidStar, QMetaType::QObjectStar and so forth, is that it wouldn't include * user defined pointer types. */ const char *const typeName = QMetaType::typeName(a->type); - if (typeName[qstrlen(typeName) - 1] == '*') + uint typeNameLen = qstrlen(typeName); + if (typeNameLen > 0 && typeName[typeNameLen - 1] == '*') return *static_cast(a_ptr) == *static_cast(b_ptr); return a_ptr == b_ptr; diff --git a/tests/auto/qvariant/tst_qvariant.cpp b/tests/auto/qvariant/tst_qvariant.cpp index a316dda..b7e2c81 100644 --- a/tests/auto/qvariant/tst_qvariant.cpp +++ b/tests/auto/qvariant/tst_qvariant.cpp @@ -1968,6 +1968,10 @@ void tst_QVariant::operator_eq_eq_data() QTest::newRow("HashSecondLarger") << QVariant(hash1) << QVariant(hash2) << false; } + + QTest::newRow( "UserType" ) << QVariant(QVariant::UserType) << QVariant(QVariant::UserType) << false; + QVariant mUserType(QVariant::UserType); + QTest::newRow( "Shared UserType" ) << mUserType << mUserType << true; } void tst_QVariant::operator_eq_eq() -- cgit v0.12