From b34bea5e96370986ea5dfc499fc2ec6366fda627 Mon Sep 17 00:00:00 2001
From: Ivan Solovev <ivan.solovev@qt.io>
Date: Thu, 9 Feb 2023 16:12:15 +0100
Subject: QFuture: fix continuation cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Not clearing the continuationData could lead to use-after-free when
there is an attempt to cancel an already finished future, which belongs
to an already-destroyed promise.

This patch fixes it be explicitly resetting continuationData to nullptr
in the clearContinuation() method, which is called from the QPromise
destructor.

Task-number: QTBUG-103514
Pick-to: 6.5 6.4 6.2
Change-Id: I6418b3f5ad04f2fdc13a196ae208009eaa5de367
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/corelib/thread/qfutureinterface.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/corelib/thread/qfutureinterface.cpp')

diff --git a/src/corelib/thread/qfutureinterface.cpp b/src/corelib/thread/qfutureinterface.cpp
index eedfd7ceeb9..ed46052fa7b 100644
--- a/src/corelib/thread/qfutureinterface.cpp
+++ b/src/corelib/thread/qfutureinterface.cpp
@@ -847,6 +847,7 @@ void QFutureInterfaceBase::cleanContinuation()
     QMutexLocker lock(&d->continuationMutex);
     d->continuation = nullptr;
     d->continuationState = QFutureInterfaceBasePrivate::Cleaned;
+    d->continuationData = nullptr;
 }
 
 void QFutureInterfaceBase::runContinuation() const
-- 
cgit v1.2.3