add source pointer check to qAtomicAssign()

fixes possible pointer dereference in QJsonDocument and QDBusMessage Signed-off-by: Ivailo Monev <xakepa10@gmail.com>
2025-02-24 10:52:56 +00:00 · 2021-03-20 17:09:55 +02:00 · 2021-03-20 17:09:55 +02:00 · c7252026f8
commit c7252026f8
parent 7eacab7a52
3 changed files with 18 additions and 29 deletions
--- a/src/core/thread/qatomic.h
+++ b/src/core/thread/qatomic.h
@ -253,16 +253,19 @@ class Q_CORE_EXPORT QAtomicPointer
 template <typename T>
 inline void qAtomicAssign(T *&d, T *x)
 {
-   if (d == x) {
-      return;
-   }
+    if (d == x) {
+        return;
+    }

-   x->ref.ref();
-   if (d && !d->ref.deref()) {
-      delete d;
-   }
+    if (x) {
+        x->ref.ref();
+    }

-   d = x;
+    if (d && !d->ref.deref()) {
+        delete d;
+    }
+
+    d = x;
 }

 /*!
--- a/src/xml/dom/qdom.cpp
+++ b/src/xml/dom/qdom.cpp
@ -909,11 +909,7 @@ QDomImplementation::QDomImplementation(QDomImplementationPrivate *p)
 */
 QDomImplementation& QDomImplementation::operator=(const QDomImplementation &x)
 {
-    if (x.impl)
-        x.impl->ref.ref();
-    if (impl && !impl->ref.deref())
-        delete impl;
-    impl = x.impl;
+    qAtomicAssign(impl, x.impl);
    return *this;
 }

@ -1306,11 +1302,7 @@ QDomNodeList::QDomNodeList(const QDomNodeList& n)
 */
 QDomNodeList& QDomNodeList::operator=(const QDomNodeList &n)
 {
-    if (n.impl)
-        n.impl->ref.ref();
-    if (impl && !impl->ref.deref())
-        delete impl;
-    impl = n.impl;
+    qAtomicAssign(impl, n.impl);
    return *this;
 }

@ -2024,11 +2016,7 @@ QDomNode::QDomNode(QDomNodePrivate *n)
 */
 QDomNode& QDomNode::operator=(const QDomNode &n)
 {
-    if (n.impl)
-        n.impl->ref.ref();
-    if (impl && !impl->ref.deref())
-        delete impl;
-    impl = n.impl;
+    qAtomicAssign(impl, n.impl);
    return *this;
 }

@ -3222,11 +3210,7 @@ QDomNamedNodeMap::QDomNamedNodeMap(QDomNamedNodeMapPrivate *n)
 */
 QDomNamedNodeMap& QDomNamedNodeMap::operator=(const QDomNamedNodeMap &n)
 {
-    if (n.impl)
-        n.impl->ref.ref();
-    if (impl && !impl->ref.deref())
-        delete impl;
-    impl = n.impl;
+    qAtomicAssign(impl, n.impl);
    return *this;
 }

--- a/tests/auto/qjsondocument/tst_qjsondocument.cpp
+++ b/tests/auto/qjsondocument/tst_qjsondocument.cpp
@ -153,9 +153,11 @@ void tst_QJsonDocument::eq_not_eq()
    QVERIFY(nulljsondoc != jsondoc);

    // assignment crash test
+    QJsonDocument jsondoc2 = QJsonDocument::fromVariant(testjsondata);
    nulljsondoc = jsondoc;
+    jsondoc2 = nulljsondoc2;

-    // constructor crash
+    // constructor crash test
    QJsonDocument nulljsondoc3(nulljsondoc);

 }