Fix potential use-after-free in FrameSVG.
Plasma framework's FrameSVG class uses cached regions for efficiency. However Coverity caught a mis-use of QCache in FrameSvg::mask(), which could lead to a use-after-free situation. (CID 1291560) Basically, any pointer passed into QCache::insert must be assumed to be deleted after insert() has been called -- we can't then return that pointer to the caller. Moreover we were simply returning a pointer to calling code that had been (and still would be) owned by QCache, which is unsafe as it can be deleted at any time. The fix in both cases is to make a local copy of the QRegion from out of the cache and return that. REVIEW:126411 FIXED-IN:5.18
This commit is contained in:
Michael Pyne
parent
a1feac929b
commit
600bdda045
@ -500,12 +500,17 @@ QRegion FrameSvg::mask() const
|
||||
QString id = d->cacheId(frame, QString());
|
||||
|
||||
QRegion* obj = frame->cachedMasks.object(id);
|
||||
QRegion result;
|
||||
|
||||
if (!obj) {
|
||||
obj = new QRegion(QBitmap(d->alphaMask().alphaChannel().createMaskFromColor(Qt::black)));
|
||||
result = *obj;
|
||||
frame->cachedMasks.insert(id, obj);
|
||||
}
|
||||
return *obj;
|
||||
else {
|
||||
result = *obj;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
void FrameSvg::setCacheAllRenderedFrames(bool cache)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user