qt: fix use-after-free pattern

qstring.toUtf8() returns a QByteArray object and .constData() returns a pointer inside that object. It is not safe to store this pointer as it will become invalid after the statement. Store a const reference instead. (Due to scoping differences, some are copy-assigned though.) In the UAT dialog, strlen(bytes.constData()) has also been replaced by bytes.size() as an optimization. Caught by ASAN. Change-Id: Ie09f999a32d0ef1abaa1e658b9403b74bedffc37 Reviewed-on: https://code.wireshark.org/review/5528 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Gerald Combs <gerald@wireshark.org>
author: Peter Wu <peter@lekensteyn.nl> 2014-11-29 19:29:26 +0100
committer: Gerald Combs <gerald@wireshark.org> 2014-12-01 00:56:26 +0000
commit: 18f01099694ed5c2758105f893ba37589f552717 (patch)
tree: 78464c882944cf12058ed99ac9829ab03c69cde8 /ui/qt
parent: 846bb5394812c39359dfdbbf7e8755a7e3cf5326 (diff)
download: wireshark-18f01099694ed5c2758105f893ba37589f552717.tar.gz
7 files changed, 30 insertions, 25 deletions
diff --git a/ui/qt/capture_filter_combo.cpp b/ui/qt/capture_filter_combo.cpp
index 923424d892..d990ce782a 100644
--- a/ui/qt/capture_filter_combo.cpp
+++ b/ui/qt/capture_filter_combo.cpp
@@ -92,12 +92,11 @@ CaptureFilterCombo::CaptureFilterCombo(QWidget *parent) :
 
 void CaptureFilterCombo::writeRecent(FILE *rf) {
     int i;
-    const char *filter_str;
 
     for (i = 0; i < count(); i++) {
-        filter_str = itemText(i).toUtf8().constData();
-        if(filter_str && strlen(filter_str) > 0) {
-            fprintf(rf, RECENT_KEY_DISPLAY_FILTER ": %s\n", filter_str);
+        const QByteArray& filter = itemText(i).toUtf8();
+        if (!filter.isEmpty()) {
+            fprintf(rf, RECENT_KEY_DISPLAY_FILTER ": %s\n", filter.constData());
         }
     }
 }
diff --git a/ui/qt/conversation_dialog.cpp b/ui/qt/conversation_dialog.cpp
index 0821e84097..cf03f46e70 100644
--- a/ui/qt/conversation_dialog.cpp
+++ b/ui/qt/conversation_dialog.cpp
@@ -162,11 +162,13 @@ bool ConversationDialog::addTrafficTable(register_ct_t* table)
             conv_tree, SLOT(setNameResolutionEnabled(bool)));
 
     // XXX Move to ConversationTreeWidget ctor?
+    QByteArray filter_utf8;
     const char *filter = NULL;
     if (displayFilterCheckBox()->isChecked()) {
         filter = cap_file_->dfilter;
     } else if (!filter_.isEmpty()) {
-        filter = filter_.toUtf8().constData();
+        filter_utf8 = filter_.toUtf8();
+        filter = filter_utf8.constData();
     }
 
     conv_tree->trafficTreeHash()->user_data = conv_tree;
@@ -289,11 +291,13 @@ void ConversationDialog::on_displayFilterCheckBox_toggled(bool checked)
         return;
     }
 
+    QByteArray filter_utf8;
     const char *filter = NULL;
     if (checked) {
         filter = cap_file_->dfilter;
     } else if (!filter_.isEmpty()) {
-        filter = filter_.toUtf8().constData();
+        filter_utf8 = filter_.toUtf8();
+        filter = filter_utf8.constData();
     }
 
     for (int i = 0; i < trafficTableTabWidget()->count(); i++) {
diff --git a/ui/qt/display_filter_combo.cpp b/ui/qt/display_filter_combo.cpp
index 576a9a9b2e..edcad297fa 100644
--- a/ui/qt/display_filter_combo.cpp
+++ b/ui/qt/display_filter_combo.cpp
@@ -90,12 +90,11 @@ extern "C" void dfilter_recent_combo_write_all(FILE *rf) {
 
 void DisplayFilterCombo::writeRecent(FILE *rf) {
     int i;
-    const char *filter_str;
 
     for (i = 0; i < count(); i++) {
-        filter_str = itemText(i).toUtf8().constData();
-        if(filter_str && strlen(filter_str) > 0) {
-            fprintf(rf, RECENT_KEY_DISPLAY_FILTER ": %s\n", filter_str);
+        const QByteArray& filter = itemText(i).toUtf8();
+        if (!filter.isEmpty()) {
+            fprintf(rf, RECENT_KEY_DISPLAY_FILTER ": %s\n", filter.constData());
         }
     }
 }
diff --git a/ui/qt/endpoint_dialog.cpp b/ui/qt/endpoint_dialog.cpp
index ff8cd5bbea..d0450bff71 100644
--- a/ui/qt/endpoint_dialog.cpp
+++ b/ui/qt/endpoint_dialog.cpp
@@ -146,11 +146,13 @@ bool EndpointDialog::addTrafficTable(register_ct_t *table)
             endp_tree, SLOT(setNameResolutionEnabled(bool)));
 
     // XXX Move to ConversationTreeWidget ctor?
+    QByteArray filter_utf8;
     const char *filter = NULL;
     if (displayFilterCheckBox()->isChecked()) {
         filter = cap_file_->dfilter;
     } else if (!filter_.isEmpty()) {
-        filter = filter_.toUtf8().constData();
+        filter_utf8 = filter_.toUtf8();
+        filter = filter_utf8.constData();
     }
 
     endp_tree->trafficTreeHash()->user_data = endp_tree;
diff --git a/ui/qt/export_pdu_dialog.cpp b/ui/qt/export_pdu_dialog.cpp
index 42506a555c..280e206f35 100644
--- a/ui/qt/export_pdu_dialog.cpp
+++ b/ui/qt/export_pdu_dialog.cpp
@@ -47,16 +47,14 @@ ExportPDUDialog::ExportPDUDialog(QWidget *parent) :
 }
 void ExportPDUDialog::on_buttonBox_accepted()
 {
-    const char *filter;
-    QString    tap_name;
     exp_pdu_t  exp_pdu_data;
 
     exp_pdu_data.pkt_encap = wtap_wtap_encap_to_pcap_encap(WTAP_ENCAP_WIRESHARK_UPPER_PDU);
 
-    filter = ui->displayFilterLineEdit->text().toUtf8().constData();
-    tap_name = ui->comboBox->currentText();
+    const QByteArray& filter = ui->displayFilterLineEdit->text().toUtf8();
+    const QByteArray& tap_name = ui->comboBox->currentText().toUtf8();
 
-    do_export_pdu(filter, (gchar *)tap_name.toUtf8().constData(), &exp_pdu_data);
+    do_export_pdu(filter.constData(), (gchar *)tap_name.constData(), &exp_pdu_data);
 }
 ExportPDUDialog::~ExportPDUDialog()
 {
diff --git a/ui/qt/traffic_table_dialog.cpp b/ui/qt/traffic_table_dialog.cpp
index 3f65b6c482..6367925bb3 100644
--- a/ui/qt/traffic_table_dialog.cpp
+++ b/ui/qt/traffic_table_dialog.cpp
@@ -154,11 +154,13 @@ void TrafficTableDialog::on_displayFilterCheckBox_toggled(bool checked)
         return;
     }
 
+    QByteArray filter_utf8;
     const char *filter = NULL;
     if (checked) {
         filter = cap_file_->dfilter;
     } else if (!filter_.isEmpty()) {
-        filter = filter_.toUtf8().constData();
+        filter_utf8 = filter_.toUtf8();
+        filter = filter_utf8.constData();
     }
 
     for (int i = 0; i < ui->trafficTableTabWidget->count(); i++) {
diff --git a/ui/qt/uat_dialog.cpp b/ui/qt/uat_dialog.cpp
index df1a364f74..ce45d429f3 100644
--- a/ui/qt/uat_dialog.cpp
+++ b/ui/qt/uat_dialog.cpp
@@ -266,8 +266,9 @@ void UatDialog::on_uatTreeWidget_itemActivated(QTreeWidgetItem *item, int column
     case PT_TXTMOD_FILENAME:
     {
         QString cur_path = fieldString(row, column);
-        QString new_path = QFileDialog::getSaveFileName(this, field->title, cur_path, QString(), NULL, fd_opt);
-        field->cb.set(rec, new_path.toUtf8().constData(), (unsigned) strlen(new_path.toUtf8().constData()), field->cbdata.set, field->fld_data);
+        const QByteArray& new_path = QFileDialog::getSaveFileName(this,
+                field->title, cur_path, QString(), NULL, fd_opt).toUtf8();
+        field->cb.set(rec, new_path.constData(), (unsigned) new_path.size(), field->cbdata.set, field->fld_data);
         updateItem(*item);
         break;
     }
@@ -362,11 +363,11 @@ void UatDialog::enumPrefCurrentIndexChanged(int index)
     guint row = item->data(0, Qt::UserRole).toUInt();
     void *rec = UAT_INDEX_PTR(uat_, row);
     uat_field_t *field = &uat_->fields[cur_column_];
-    const char *enum_txt = cur_combo_box_->itemText(index).toUtf8().constData();
+    const QByteArray& enum_txt = cur_combo_box_->itemText(index).toUtf8();
     const char *err = NULL;
 
-    if (field->cb.chk && field->cb.chk(rec, enum_txt, (unsigned) strlen(enum_txt), field->cbdata.chk, field->fld_data, &err)) {
-        field->cb.set(rec, enum_txt, (unsigned) strlen(enum_txt), field->cbdata.set, field->fld_data);
+    if (field->cb.chk && field->cb.chk(rec, enum_txt.constData(), (unsigned) enum_txt.size(), field->cbdata.chk, field->fld_data, &err)) {
+        field->cb.set(rec, enum_txt.constData(), (unsigned) enum_txt.size(), field->cbdata.set, field->fld_data);
         ok_button_->setEnabled(true);
     } else {
         ok_button_->setEnabled(false);
@@ -384,14 +385,14 @@ void UatDialog::stringPrefTextChanged(const QString &text)
     guint row = item->data(0, Qt::UserRole).toUInt();
     void *rec = UAT_INDEX_PTR(uat_, row);
     uat_field_t *field = &uat_->fields[cur_column_];
-    const char *txt = text.toUtf8().constData();
+    const QByteArray& txt = text.toUtf8();
     const char *err = NULL;
     bool enable_ok = true;
     SyntaxLineEdit::SyntaxState ss = SyntaxLineEdit::Empty;
 
     if (field->cb.chk) {
-        if (field->cb.chk(rec, txt, (unsigned) strlen(txt), field->cbdata.chk, field->fld_data, &err)) {
-            field->cb.set(rec, txt, (unsigned) strlen(txt), field->cbdata.set, field->fld_data);
+        if (field->cb.chk(rec, txt.constData(), (unsigned) txt.size(), field->cbdata.chk, field->fld_data, &err)) {
+            field->cb.set(rec, txt.constData(), (unsigned) txt.size(), field->cbdata.set, field->fld_data);
             saved_string_pref_ = text;
             ss = SyntaxLineEdit::Valid;
         } else {
author	Peter Wu <peter@lekensteyn.nl>	2014-11-29 19:29:26 +0100
committer	Gerald Combs <gerald@wireshark.org>	2014-12-01 00:56:26 +0000
commit	18f01099694ed5c2758105f893ba37589f552717 (patch)
tree	78464c882944cf12058ed99ac9829ab03c69cde8 /ui/qt
parent	846bb5394812c39359dfdbbf7e8755a7e3cf5326 (diff)
download	wireshark-18f01099694ed5c2758105f893ba37589f552717.tar.gz