From bdf3782b40b0fc2ebfda960be08c90b549cfd970 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@nokia.com>
Date: Fri, 28 Jan 2011 12:23:08 +0100
Subject: Fix potential networking crash due to null-pointer dereference

An internal bug report suggests that we unconditionally dereference the backend
pointer in QNetworkReplyImpl when checking for the synchronity of the
originating request. The dereferencing code was introduced in commit
ad1e82323225e996720136e8b2d669166b8d8441. Unfortunately the report does not
detail where/how the crash happened, but it appears plausible that the backend
pointer became null, and the surrounding code that has extra checks suggests
this, too. In an attempt of defensive programming this patch introduces
the missing check in the reported line 112 as well as in other places
where it seems appropriate.

Reviewed-by: Peter Hartmann
---
 src/network/access/qnetworkreplyimpl.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/network/access/qnetworkreplyimpl.cpp b/src/network/access/qnetworkreplyimpl.cpp
index 9d7082c..343f344 100644
--- a/src/network/access/qnetworkreplyimpl.cpp
+++ b/src/network/access/qnetworkreplyimpl.cpp
@@ -109,7 +109,7 @@ void QNetworkReplyImplPrivate::_q_startOperation()
     }
 #endif
 
-    if (backend->isSynchronous()) {
+    if (backend && backend->isSynchronous()) {
         state = Finished;
     } else {
         if (state != Finished) {
@@ -296,7 +296,7 @@ void QNetworkReplyImplPrivate::setup(QNetworkAccessManager::Operation op, const
     // in QtWebKit.
     QVariant synchronousHttpAttribute = req.attribute(
             static_cast<QNetworkRequest::Attribute>(QNetworkRequest::DownloadBufferAttribute + 1));
-    if (synchronousHttpAttribute.toBool()) {
+    if (backend && synchronousHttpAttribute.toBool()) {
         backend->setSynchronous(true);
         if (outgoingData && outgoingData->isSequential()) {
             outgoingDataBuffer = new QRingBuffer();
@@ -351,7 +351,7 @@ void QNetworkReplyImplPrivate::setup(QNetworkAccessManager::Operation op, const
             QMetaObject::invokeMethod(q, "_q_startOperation", Qt::QueuedConnection);
         }
 #else
-        if (backend->isSynchronous())
+        if (backend && backend->isSynchronous())
             _q_startOperation();
         else
             QMetaObject::invokeMethod(q, "_q_startOperation", Qt::QueuedConnection);
-- 
cgit v0.12