Account for null QPointer in QWidgetAnimator

QWidgetAnimator has a QHash member m_animation_map with all active
animations. Since it doesn't own the animations, they can get deleted
while their pointers are still in the map. To avoid UAF, the
QPropertyAnimation pointers are held in a QPointer.

When a null QPointer was in the map, it caused a nullptr dereference
and animating() returned true, even though nothing was animating.

Add missing nullptr check.
Don't count null QPointer as an ongoing animation.

Amends 33214af3784feacb2d5188bbf07da92f45f582f9.

Fixes: QTBUG-141761
Pick-to: 6.10 6.8 6.5
Change-Id: Iec081472ece2ec86b9ddcb7616ed65401be20cc4
Reviewed-by: Volker Hilsheimer <[email protected]>

1 files changed, 3 insertions, 2 deletions

diff --git a/src/widgets/widgets/qwidgetanimator.cpp b/src/widgets/widgets/qwidgetanimator.cpp
index 99a051357ee..1216f535b8b 100644
--- a/src/widgets/widgets/qwidgetanimator.cpp
+++ b/src/widgets/widgets/qwidgetanimator.cpp
@@ -53,7 +53,7 @@ void QWidgetAnimator::animate(QWidget *widget, const QRect &_final_geometry, boo
     //If the QStyle has animations, animate
     if (const int animationDuration = widget->style()->styleHint(QStyle::SH_Widget_Animation_Duration, nullptr, widget)) {
         AnimationMap::const_iterator it = m_animation_map.constFind(widget);
-        if (it != m_animation_map.constEnd() && (*it)->endValue().toRect() == final_geometry)
+        if (it != m_animation_map.constEnd() && *it && (*it)->endValue().toRect() == final_geometry)
             return;
 
         QPropertyAnimation *anim = new QPropertyAnimation(widget, "geometry", widget);
@@ -76,7 +76,8 @@ void QWidgetAnimator::animate(QWidget *widget, const QRect &_final_geometry, boo
 
 bool QWidgetAnimator::animating() const
 {
-    return !m_animation_map.isEmpty();
+    auto isActiveAnimation = [](const QPointer<QPropertyAnimation> &p) { return !p.isNull(); };
+    return !std::all_of(m_animation_map.begin(), m_animation_map.end(), isActiveAnimation);
 }
 
 QT_END_NAMESPACE