From 600bdda04508fab512ed97c9874353378c7cb3fa Mon Sep 17 00:00:00 2001
From: Michael Pyne <mpyne@kde.org>
Date: Thu, 17 Dec 2015 21:34:04 -0500
Subject: [PATCH] Fix potential use-after-free in FrameSVG.

Plasma framework's FrameSVG class uses cached regions for efficiency. However
Coverity caught a mis-use of QCache in FrameSvg::mask(), which could lead to a
use-after-free situation. (CID 1291560)

Basically, any pointer passed into QCache::insert must be assumed to be deleted
after insert() has been called -- we can't then return that pointer to the
caller.

Moreover we were simply returning a pointer to calling code that had been (and
still would be) owned by QCache, which is unsafe as it can be deleted at any
time. The fix in both cases is to make a local copy of the QRegion from out of
the cache and return that.

REVIEW:126411
FIXED-IN:5.18
---
 src/plasma/framesvg.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/plasma/framesvg.cpp b/src/plasma/framesvg.cpp
index 107e0e6d1..81187dcaa 100644
--- a/src/plasma/framesvg.cpp
+++ b/src/plasma/framesvg.cpp
@@ -500,12 +500,17 @@ QRegion FrameSvg::mask() const
     QString id = d->cacheId(frame, QString());
 
     QRegion* obj = frame->cachedMasks.object(id);
+    QRegion result;
 
     if (!obj) {
         obj = new QRegion(QBitmap(d->alphaMask().alphaChannel().createMaskFromColor(Qt::black)));
+        result = *obj;
         frame->cachedMasks.insert(id, obj);
     }
-    return *obj;
+    else {
+        result = *obj;
+    }
+    return result;
 }
 
 void FrameSvg::setCacheAllRenderedFrames(bool cache)