Skip to content

Fix crash in FileResourceConfigManager when doing removeResource

Jiří Paleček requested to merge jpalecek/kalarm:master into master

Hello

this merge request seeks to fix a crash that I encountered when deleting an old calendar file from KAlarm. Here is the backtrace and the result of valgrind pertaining to this crash.

As you can see, it is a use after free when running ResourceSelector::removeResource(). It deletes an instance of FileResourceSettings and then uses it.

The problematic code is here:

                    Resource resource(createResource(settings));
                    manager->mResources[settings->id()] = ResourceData(resource, settings);

where the first call creates the resource from settings.data() in FileResourceManage::createResource. This Resource is then stored in the global Resources instance, and holds a pointer to settings. Another pointer to settings is held in manager->mResources. But only one is managed by a QSharedPointer which means that on removal, if the first one to go is the managed one, the second one will be dangling and (in this case) used after free. This merge request fixes it by using the shared pointer throughout.

As an aside, I looked at other suspicious usages of data() and found only one. The second commit removes that as well in favor of normal shared pointer usage.

Merge request reports

Loading