Fix potential use-after-free in FrameSVG.

Plasma framework's FrameSVG class uses cached regions for efficiency. However
Coverity caught a mis-use of QCache in FrameSvg::mask(), which could lead to a
use-after-free situation. (CID 1291560)

Basically, any pointer passed into QCache::insert must be assumed to be deleted
after insert() has been called -- we can't then return that pointer to the
caller.

Moreover we were simply returning a pointer to calling code that had been (and
still would be) owned by QCache, which is unsafe as it can be deleted at any
time. The fix in both cases is to make a local copy of the QRegion from out of
the cache and return that.

REVIEW:126411
FIXED-IN:5.18
This commit is contained in:
Michael Pyne 2015-12-17 21:34:04 -05:00
parent a1feac929b
commit 600bdda045

View File

@ -500,12 +500,17 @@ QRegion FrameSvg::mask() const
QString id = d->cacheId(frame, QString());
QRegion* obj = frame->cachedMasks.object(id);
QRegion result;
if (!obj) {
obj = new QRegion(QBitmap(d->alphaMask().alphaChannel().createMaskFromColor(Qt::black)));
result = *obj;
frame->cachedMasks.insert(id, obj);
}
return *obj;
else {
result = *obj;
}
return result;
}
void FrameSvg::setCacheAllRenderedFrames(bool cache)