From 10a306b3f4d4c4e9c70e95fe1d38785dacd4a6c6 Mon Sep 17 00:00:00 2001
From: Jarek Kobus <jaroslaw.kobus@qt.io>
Date: Tue, 29 Nov 2022 21:22:22 +0100
Subject: [PATCH] DocumentModel: Fix possible use of deallocated memory

Setting entry to nullptr inside DocumentModelPrivate::addEntry()
sets it only locally inside this function, so the caller of
addEntry will still hold the originally passed pointer. So, if the
"if (previousEntry)" condition was hold, the caller of addEntry
operates on deleted pointer.

In order to fix it we return the valid pointer instead.

Change-Id: I3e4a5c3532ca942c43ab422a238f0a19ebd41794
Reviewed-by: Eike Ziller <eike.ziller@qt.io>
---
 src/plugins/coreplugin/editormanager/documentmodel.cpp | 9 ++++-----
 src/plugins/coreplugin/editormanager/documentmodel_p.h | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/plugins/coreplugin/editormanager/documentmodel.cpp b/src/plugins/coreplugin/editormanager/documentmodel.cpp
index c154ebb551e..8198a2a4762 100644
--- a/src/plugins/coreplugin/editormanager/documentmodel.cpp
+++ b/src/plugins/coreplugin/editormanager/documentmodel.cpp
@@ -79,7 +79,7 @@ int DocumentModelPrivate::rowCount(const QModelIndex &parent) const
     return 0;
 }
 
-void DocumentModelPrivate::addEntry(DocumentModel::Entry *entry)
+DocumentModel::Entry *DocumentModelPrivate::addEntry(DocumentModel::Entry *entry)
 {
     const Utils::FilePath filePath = entry->fileName();
 
@@ -95,9 +95,8 @@ void DocumentModelPrivate::addEntry(DocumentModel::Entry *entry)
                     this, [this, document = previousEntry->document] { itemChanged(document); });
         }
         delete entry;
-        entry = nullptr;
         disambiguateDisplayNames(previousEntry);
-        return;
+        return nullptr;
     }
 
     auto positions = positionEntry(m_entries, entry);
@@ -115,6 +114,7 @@ void DocumentModelPrivate::addEntry(DocumentModel::Entry *entry)
         itemChanged(document);
     });
     endInsertRows();
+    return entry;
 }
 
 bool DocumentModelPrivate::disambiguateDisplayNames(DocumentModel::Entry *entry)
@@ -411,8 +411,7 @@ DocumentModel::Entry *DocumentModelPrivate::addSuspendedDocument(const FilePath
         entry->document->setPreferredDisplayName(displayName);
     entry->document->setId(id);
     entry->isSuspended = true;
-    d->addEntry(entry);
-    return entry;
+    return d->addEntry(entry);
 }
 
 DocumentModel::Entry *DocumentModelPrivate::firstSuspendedEntry()
diff --git a/src/plugins/coreplugin/editormanager/documentmodel_p.h b/src/plugins/coreplugin/editormanager/documentmodel_p.h
index 560dd0d0bd0..7d44172688c 100644
--- a/src/plugins/coreplugin/editormanager/documentmodel_p.h
+++ b/src/plugins/coreplugin/editormanager/documentmodel_p.h
@@ -33,7 +33,7 @@ public:
     Qt::DropActions supportedDragActions() const override;
     QStringList mimeTypes() const override;
 
-    void addEntry(DocumentModel::Entry *entry);
+    DocumentModel::Entry *addEntry(DocumentModel::Entry *entry);
     void removeDocument(int idx);
 
     std::optional<int> indexOfFilePath(const Utils::FilePath &filePath) const;