QQmlValueTypeWrapper: fix stack-use-after-return and missing destructor6.9

If isReference() is true and we allocate a gadgetPtr() on the stack with
alloca(), then when readReferenceValue() fails, we return immediately,
leaving a bad pointer in d()->gadgetPtr():
- gadgetPtr now references alloca() memory from a function that returned
- the destructor of the gadget is never called

To fix this, ensure that we destruct and nullptr the gadget on all exit
paths, thanks to a qScopeGuard().

Pick-to: 6.8 6.5
Change-Id: I4ff411c0f364ad337fdbd55772812e1f219e6dff
Reviewed-by: Ulf Hermann <[email protected]>
(cherry picked from commit 0d67a8c45232e95de86fe66975f6ec3e07ec2aa9)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>
(cherry picked from commit 63d8a9d1c9c89c60943c066676f8d434344d561c)

1 files changed, 7 insertions, 5 deletions

diff --git a/src/qml/qml/qqmlvaluetypewrapper.cpp b/src/qml/qml/qqmlvaluetypewrapper.cpp
index 6d89ec6444..6e965f2115 100644
--- a/src/qml/qml/qqmlvaluetypewrapper.cpp
+++ b/src/qml/qml/qqmlvaluetypewrapper.cpp
@@ -543,6 +543,13 @@ QMetaType QQmlValueTypeWrapper::type() const
 bool QQmlValueTypeWrapper::write(QObject *target, int propertyIndex) const
 {
     bool destructGadgetOnExit = false;
+    auto cleanup = qScopeGuard([&]() {
+        if (destructGadgetOnExit) {
+            d()->metaType().destruct(d()->gadgetPtr());
+            d()->setGadgetPtr(nullptr);
+        }
+    });
+
     Q_ALLOCA_DECLARE(void, gadget);
     if (d()->isReference()) {
         if (!d()->gadgetPtr()) {
@@ -559,11 +566,6 @@ bool QQmlValueTypeWrapper::write(QObject *target, int propertyIndex) const
     int status = -1;
     void *a[] = { d()->gadgetPtr(), nullptr, &status, &flags };
     QMetaObject::metacall(target, QMetaObject::WriteProperty, propertyIndex, a);
-
-    if (destructGadgetOnExit) {
-        d()->metaType().destruct(d()->gadgetPtr());
-        d()->setGadgetPtr(nullptr);
-    }
     return true;
 }