From 6bc138c87a32f7f707e40eaf006128936792bb0b Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sat, 7 Mar 2015 22:53:05 +0100
Subject: Qt: fix heap use-after-free wrt. data sources

When a different packet is changed, the packet scoped memory for tvbuff
is freed before clearing data source tabs. This results in
heap-use-after free when resizeEvent is called as a result of clearing
tabs for data sources.

Avoid resize events by hiding the tabs.

Caught with ASAN:

    ==18816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060004cd970 at pc 0x7fffebf46618 bp 0x7fffffffbb10 sp 0x7fffffffbb00
    READ of size 4 at 0x6060004cd970 thread T0
        #0 0x7fffebf46617 in tvb_captured_length epan/tvbuff.c:423
        #1 0x773062 in ByteViewText::updateScrollbars() ui/qt/byte_view_text.cpp:489
        #2 0x76f307 in ByteViewText::resizeEvent(QResizeEvent*) ui/qt/byte_view_text.cpp:197
        ...
        #24 0x9f2348 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
        #25 0x9f23f5 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
        #26 0x76b9d6 in ByteViewTab::clear() ui/qt/byte_view_tab.cpp:54
        #27 0x5de685 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:477
        ...

    freed by thread T0 here:
        ...
        #5 0x53d763 in cf_select_packet file.c:3827
        #6 0x5ddfa5 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:454
        #7 0x7fffe58ec980 (/usr/lib/libQt5Widgets.so.5+0x3bc980)
        #8 0x7fffe4d55dd6 in QItemSelectionModel::selectionChanged(QItemSelection const&, QItemSelection const&) (/usr/lib/libQt5Core.so.5+0x23fdd6)
        ...

Change-Id: I9c1c01398713389de58259d13ebbaddd2d6e5c52
Reviewed-on: https://code.wireshark.org/review/7589
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
 ui/qt/byte_view_tab.cpp | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'ui/qt/byte_view_tab.cpp')

diff --git a/ui/qt/byte_view_tab.cpp b/ui/qt/byte_view_tab.cpp
index c7ba1a9f7a..72968613d2 100644
--- a/ui/qt/byte_view_tab.cpp
+++ b/ui/qt/byte_view_tab.cpp
@@ -49,9 +49,11 @@ void ByteViewTab::addTab(const char *name, tvbuff_t *tvb, proto_tree *tree, QTre
 
 void ByteViewTab::clear()
 {
+    hide();
     while (currentWidget()) {
         delete currentWidget();
     }
+    show();
 }
 
 void ByteViewTab::tabInserted(int index) {
-- 
cgit v1.2.1