Problem investigating a heap-use-after-free in kwindowsystem
thomas.luebking at gmail.com
Fri Oct 2 21:34:43 BST 2015
get_stringlist_reply creates the byte arrays QByteArray::fromRawData(), nukes the reply and returns the list which now contains freed memory.
This also was just a problem in Baloo; smells like the ::fromRawArray "constructor" could use a free function pointer to be called when the bytearray is ultimately released.
Until then the functions will have to copy the data and/or the function needs to be "pimped" to allow the client code to nuke the bytearray payload when it's no longer required.
More information about the kde-core-devel