From fc964a9581b47eec70a2a8067af9e263ec2ac610 Mon Sep 17 00:00:00 2001
From: Christian Mollekopf <chrigi_1@fastmail.fm>
Date: Thu, 9 Nov 2017 20:14:43 +0100
Subject: Fixed use after free

---
 common/resourceaccess.cpp | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

(limited to 'common/resourceaccess.cpp')

diff --git a/common/resourceaccess.cpp b/common/resourceaccess.cpp
index 5e15786..68bbb7a 100644
--- a/common/resourceaccess.cpp
+++ b/common/resourceaccess.cpp
@@ -676,8 +676,7 @@ Sink::ResourceAccess::Ptr ResourceAccessFactory::getAccess(const QByteArray &ins
     if (!mCache.contains(instanceIdentifier)) {
         // Reuse the pointer if something else kept the resourceaccess alive
         if (mWeakCache.contains(instanceIdentifier)) {
-            auto sharedPointer = mWeakCache.value(instanceIdentifier).toStrongRef();
-            if (sharedPointer) {
+            if (auto sharedPointer = mWeakCache.value(instanceIdentifier).toStrongRef()) {
                 mCache.insert(instanceIdentifier, sharedPointer);
             }
         }
@@ -686,7 +685,12 @@ Sink::ResourceAccess::Ptr ResourceAccessFactory::getAccess(const QByteArray &ins
             auto sharedPointer = Sink::ResourceAccess::Ptr::create(instanceIdentifier, resourceType);
             QObject::connect(sharedPointer.data(), &Sink::ResourceAccess::ready, sharedPointer.data(), [this, instanceIdentifier](bool ready) {
                 if (!ready) {
-                    mCache.remove(instanceIdentifier);
+                    //We want to remove, but we don't want shared pointer to be destroyed until end of the function as this might trigger further steps.
+                    auto ptr = mCache.take(instanceIdentifier);
+                    if (auto timer = mTimer.take(instanceIdentifier)) {
+                        timer->stop();
+                    }
+                    Q_UNUSED(ptr);
                 }
             });
             mCache.insert(instanceIdentifier, sharedPointer);
@@ -694,15 +698,18 @@ Sink::ResourceAccess::Ptr ResourceAccessFactory::getAccess(const QByteArray &ins
         }
     }
     if (!mTimer.contains(instanceIdentifier)) {
-        auto timer = new QTimer;
+        auto timer = QSharedPointer<QTimer>::create();
         timer->setSingleShot(true);
         // Drop connection after 3 seconds (which is a random value)
-        QObject::connect(timer, &QTimer::timeout, timer, [this, instanceIdentifier]() { mCache.remove(instanceIdentifier); });
+        QObject::connect(timer.data(), &QTimer::timeout, timer.data(), [this, instanceIdentifier]() {
+            //We want to remove, but we don't want shared pointer to be destroyed until end of the function as this might trigger further steps.
+            auto ptr = mCache.take(instanceIdentifier);
+            Q_UNUSED(ptr);
+        });
         timer->setInterval(3000);
         mTimer.insert(instanceIdentifier, timer);
     }
-    auto timer = mTimer.value(instanceIdentifier);
-    timer->start();
+    mTimer.value(instanceIdentifier)->start();
     return mCache.value(instanceIdentifier);
 }
 }
-- 
cgit v1.2.3