[vlc-commits] [Git][videolan/vlc][master] 2 commits: qt: fix use after free in `CompositorVideo::commonGUICreate()`

Jean-Baptiste Kempf (@jbk) gitlab at videolan.org
Wed May 13 07:16:52 UTC 2026 


Jean-Baptiste Kempf pushed to branch master at VideoLAN / VLC


Commits:
d12cc266 by Fatih Uzunoglu at 2026-05-13T07:18:35+02:00
qt: fix use after free in `CompositorVideo::commonGUICreate()`

We do not keep the `QQmlComponent` around for the root item
because the root item is not meant to be instantiated multiple
times, thanks to 455c91cf.

Calling `::createRootItem()` therefore deletes the component
after it creates the root item.

In this case, when `::setContent()` is used, it first gets
a valid `QQmlComponent` since `::getComponent()` is called
first, and then the component is deleted when `::createRootItem()`
is called. If the parameter order was different, such bug
would not exist (since calling `::getComponent()` after
calling `::createRootItem()` would return null pointer).

Unfortunately `QQuickView` takes the component as a raw pointer
and not a weak pointer, so there is not much we can do about
that here besides not providing the component. I still changed
the `::getComponent()` to return a weak pointer, though.

That being said, we should not really provide the component
anyway because we manage the creation of the root item. I
have checked the source code of `QQuickView`, and it does
not seem to actually require the component. Providing both
the component and the item does not make much sense, and I
assume that is why `QQuickView::setContent()` is marked as
internal.

Regression since 455c91cf.

- - - - -
564e6d04 by Fatih Uzunoglu at 2026-05-13T07:18:35+02:00
qt: do not require the component in `QmlUISurface::setContent()`

- - - - -


5 changed files:

- modules/gui/qt/maininterface/compositor.cpp
- modules/gui/qt/maininterface/compositor.hpp
- modules/gui/qt/maininterface/compositor_x11_uisurface.cpp
- modules/gui/qt/maininterface/compositor_x11_uisurface.hpp
- modules/gui/qt/maininterface/mainui.hpp


Changes:

=====================================
modules/gui/qt/maininterface/compositor.cpp
=====================================
@@ -381,7 +381,7 @@ bool CompositorVideo::commonGUICreate(QWindow* window, QmlUISurface* qmlSurface,
     ret = m_ui->setup(qmlSurface->engine());
     if (! ret)
         return false;
-    qmlSurface->setContent(m_ui->getComponent(), m_ui->createRootItem());
+    qmlSurface->setContent(m_ui->createRootItem());
     return true;
 }
 
@@ -393,7 +393,7 @@ bool CompositorVideo::commonGUICreate(QWindow* window, QQuickView* qmlView, Comp
     ret = m_ui->setup(qmlView->engine());
     if (! ret)
         return false;
-    qmlView->setContent(QUrl(), m_ui->getComponent(), m_ui->createRootItem());
+    qmlView->setContent(QUrl(), nullptr, m_ui->createRootItem());
     return true;
 }
 


=====================================
modules/gui/qt/maininterface/compositor.hpp
=====================================
@@ -125,7 +125,7 @@ public:
     public:
         virtual ~QmlUISurface() = default;
         virtual QQmlEngine* engine() const = 0;
-        virtual void setContent(QQmlComponent *component, QQuickItem *item) = 0;
+        virtual void setContent(QQuickItem *item) = 0;
 
         virtual QQuickItem * activeFocusItem() const = 0;
     };


=====================================
modules/gui/qt/maininterface/compositor_x11_uisurface.cpp
=====================================
@@ -149,7 +149,7 @@ CompositorX11UISurface::~CompositorX11UISurface()
 }
 
 
-void CompositorX11UISurface::setContent(QQmlComponent*,  QQuickItem* rootItem)
+void CompositorX11UISurface::setContent(QQuickItem* rootItem)
 {
     assert(rootItem);
     m_rootItem = rootItem;


=====================================
modules/gui/qt/maininterface/compositor_x11_uisurface.hpp
=====================================
@@ -62,7 +62,7 @@ public:
     bool handleWindowEvent(QEvent *event);
 
     //QmlUISurface API
-    void setContent(QQmlComponent*,  QQuickItem* rootItem) override;
+    void setContent(QQuickItem* rootItem) override;
     QQmlEngine* engine() const override { return m_qmlEngine; }
 
     QQuickItem * activeFocusItem() const override;


=====================================
modules/gui/qt/maininterface/mainui.hpp
=====================================
@@ -24,7 +24,7 @@ public:
 
     [[nodiscard]] bool setup(QQmlEngine* engine);
 
-    inline QQmlComponent* getComponent() const {return m_component;}
+    QPointer<QQmlComponent> getComponent() const {return m_component;}
     VLC_USED
     QQuickItem* createRootItem();
 



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/ebe6e5ebf9d0493939dbc37f2a789e33939ded75...564e6d04fa128c03406e3a573cd110ddcb167d32

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/ebe6e5ebf9d0493939dbc37f2a789e33939ded75...564e6d04fa128c03406e3a573cd110ddcb167d32
You're receiving this email because of your account on code.videolan.org.

More information about the vlc-commits mailing list