QWidget: Fix UB (invalid cast) in sendResizeEvents()

Found by UBSan: qwidget.cpp:5228:62: runtime error: downcast of address 0x61b00003d480 which does not point to an object of type 'QWidget' 0x61b00003d480: note: object is of type 'QMainWindowLayout' bc 00 00 75 90 2e 2a 78 4f 2b 00 00 40 c1 02 00 f0 60 00 00 78 2f 2a 78 4f 2b 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'QMainWindowLayout' #0 0x2b4f70efb1c2 in sendResizeEvents qwidget.cpp:5228 qt#1 0x2b4f70f65f7f in QWidget::grab(QRect const&) qwidget.cpp:5252 qt#2 0x6b1746 in tst_QWidget::render_task188133() tst_qwidget.cpp:6615 Fix by performing the cast only after the test for isWidgetType() has succeeded. Change-Id: I061a60ef35bcb5fbefb9bc7b84706c9dd5afd207 Reviewed-by: Thiago Macieira <[email protected]>
brad0 · Sep 28, 2016 · c65621b · c65621b
1 parent 5571d2b
commit c65621b
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/widgets/kernel/qwidget.cpp b/src/widgets/kernel/qwidget.cpp
@@ -5201,8 +5201,10 @@ static void sendResizeEvents(QWidget *target)
 
     const QObjectList children = target->children();
     for (int i = 0; i < children.size(); ++i) {
+        if (!children.at(i)->isWidgetType())
+            continue;
         QWidget *child = static_cast<QWidget*>(children.at(i));
-        if (child->isWidgetType() && !child->isWindow() && child->testAttribute(Qt::WA_PendingResizeEvent))
+        if (!child->isWindow() && child->testAttribute(Qt::WA_PendingResizeEvent))
             sendResizeEvents(child);
     }
 }