From 5eeecdb1b4d0bf34832e24b99e08b73e0804a62c Mon Sep 17 00:00:00 2001
From: Thomas Hartmann <thomas.hartmann@qt.io>
Date: Tue, 29 Nov 2016 16:53:03 +0100
Subject: [PATCH] QmlDesigner: Fixing double free

Calling detach() in setKey() will free the shared memory twice, if
we do not set m_memory to nullptr.
Clean cleanHandleInternal() does always return true, so
checking the value does not make sense.
We have to call cleanHandleInternal() immediately after the close.

Change-Id: I110693d1dd9dae4ff5e52cfd3fdd2f33137af969
Reviewed-by: Tobias Hunger <tobias.hunger@qt.io>
---
 .../qtcreator/qml/qmlpuppet/container/sharedmemory.h  |  2 +-
 .../qml/qmlpuppet/container/sharedmemory_unix.cpp     | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/share/qtcreator/qml/qmlpuppet/container/sharedmemory.h b/share/qtcreator/qml/qmlpuppet/container/sharedmemory.h
index 9e6dc794e8..3266fa25ed 100644
--- a/share/qtcreator/qml/qmlpuppet/container/sharedmemory.h
+++ b/share/qtcreator/qml/qmlpuppet/container/sharedmemory.h
@@ -61,7 +61,7 @@ public:
 protected:
 #ifdef Q_OS_UNIX
     bool initKeyInternal();
-    bool cleanHandleInternal();
+    void cleanHandleInternal();
     bool createInternal(QSharedMemory::AccessMode mode, int size);
     bool attachInternal(QSharedMemory::AccessMode mode);
     bool detachInternal();
diff --git a/share/qtcreator/qml/qmlpuppet/container/sharedmemory_unix.cpp b/share/qtcreator/qml/qmlpuppet/container/sharedmemory_unix.cpp
index 23cd473012..53e7c7533a 100644
--- a/share/qtcreator/qml/qmlpuppet/container/sharedmemory_unix.cpp
+++ b/share/qtcreator/qml/qmlpuppet/container/sharedmemory_unix.cpp
@@ -124,10 +124,13 @@ SharedMemory::~SharedMemory()
 {
     if (m_memory) {
         munmap(m_memory, m_size);
+        m_memory = nullptr;
+        m_size = 0;
     }
 
     if (m_fileHandle != -1) {
         close(m_fileHandle);
+        cleanHandleInternal();
         if (m_createdByMe)
             shm_unlink(m_nativeKey);
     }
@@ -142,7 +145,7 @@ void SharedMemory::setKey(const QString &key)
 
     if (isAttached())
         detach();
-    cleanHandleInternal();
+
     m_key = key;
     m_nativeKey = makePlatformSafeKey(key);
 }
@@ -299,8 +302,7 @@ void SharedMemory::setErrorString(const QString &function)
 
 bool SharedMemory::initKeyInternal()
 {
-    if (!cleanHandleInternal())
-        return false;
+    cleanHandleInternal();
 
     m_systemSemaphore.setKey(QString(), 1);
     m_systemSemaphore.setKey(m_key, 1);
@@ -341,10 +343,9 @@ int SharedMemory::handle()
     return m_fileHandle;
 }
 
-bool SharedMemory::cleanHandleInternal()
+void SharedMemory::cleanHandleInternal()
 {
     m_fileHandle = -1;
-    return true;
 }
 
 bool SharedMemory::createInternal(QSharedMemory::AccessMode mode, int size)
-- 
GitLab