Skip to content

fix: resolve heap-use-after-free in NoteListView on exit (#732)#772

Open
bomlinux92-byte wants to merge 1 commit into
nuttyartist:masterfrom
bomlinux92-byte:bounty-fix-732-2026-05-29
Open

fix: resolve heap-use-after-free in NoteListView on exit (#732)#772
bomlinux92-byte wants to merge 1 commit into
nuttyartist:masterfrom
bomlinux92-byte:bounty-fix-732-2026-05-29

Conversation

@bomlinux92-byte

@bomlinux92-byte bomlinux92-byte commented May 28, 2026

Copy link
Copy Markdown

Summary

Fix for [BUG BOUNTY] heap-use-after-free in NoteListView on exit — Issue #732

Root cause

When the application exits, destructor calls . The problem:

  1. used followed by — the operator can cause implicit detachment of the internal map data, which is unsafe during destruction
  2. When the destructor passes , it's a no-op but still triggers the problematic code path
  3. in the destructor could be called after the model is already destroyed, leading to use-after-free

Fix

  1. Skip nullptr removal — now returns early if 02:07:27 up 33 days, 11:00, 1 user, load average: 1.96, 2.09, 1.97
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT since removing from a list is always a no-op
  2. Iterator-based access — replaced with to avoid implicit detachment
  3. Model validity check — now checks before iterating, and clears the map directly if the model is already destroyed

Verification

  • Build completes successfully
  • The fix prevents the heap-use-after-free by ensuring no operations occur on invalid/partial map states during destruction

Closes #732

fix: resolve bounty issue nuttyartist#732
395a014 
Root cause:
- NoteListDelegateEditor destructor calls unsetEditorWidget(m_id, nullptr)
- unsetEditorWidget was accessing m_openedEditor using operator[] which can
  cause detachment and re-allocation during destruction
- closeAllEditor() was called after model() might already be destroyed

Fix:
- Skip nullptr removal in unsetEditorWidget (no-op anyway)
- Use iterator-based access instead of operator[] to avoid detachment
- Add model() validity check in closeAllEditor() before iterating
- Clear m_openedEditor early if model is already destroyed
@zjeffer

zjeffer commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Did you run it with asan to verify it's fixed?

@zjeffer

zjeffer commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Also what's this? 😆

Skip nullptr removal — now returns early if 02:07:27 up 33 days, 11:00, 1 user, load average: 1.96, 2.09, 1.97
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT since removing from a list is always a no-op

There's also no bug bounty attached to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

heap-use-after-free in NoteListView on exit

2 participants

@bomlinux92-byte @zjeffer