Bug#1081682: libqt5gui5: Segfault in QAccessibleTableInterface::cellAt

Fri, 21 Mar 2025 17:18:24 -0700 

Hello,

The attached patch for QT5 fixes the bug on Bookworm.
I tested successfully with TeamTalk V5.17, more precisely with the server list which is a table and crashes without this patch. To test, I applied the patch as it is then built qtbase-opensource-src. Then I installed patched version of libqt5gui5 and libqt5widget5, which fixed the issue, no more crash. 

I haven't got the patch for QT6.
Someone reported me the version of QT6 in testing has the fix.

Hop this helps,

--
Patrick ZAJDA

From 8857575813a73f59af2f004875ae85179e1ed666 Mon Sep 17 00:00:00 2001
From: Volker Hilsheimer <volker.hilshei...@qt.io>
Date: Mon, 03 Jun 2024 10:14:54 +0200
Subject: [PATCH] a11y atspi: Add null checks in table iface methods

Add null checks to cover the cases where
QAccessibleTableInterface::cellAt returns
nullptr (which happens e.g. when called with
invalid indices via AT-SPI) or where the
cell object doesn't implement the
QAccessibleTableCellInterface, which
would previously result in crashes.

Cherry-picked into 5.15 as it fixes a crash in popular accessibility
client software. Conflict resolution: remove C++17'isms (`if`
with initializer).

Fixes: QTBUG-119167
Fixes: QTBUG-125954
Change-Id: Ieb42617b32ca829af09ae1d54f5de9ec029e3ab2
Reviewed-by: Jan Arve Sæther <jan-arve.saet...@qt.io>
(cherry picked from commit d91d53c951144255349e5d246353b598179ce967)
---

diff --git a/src/platformsupport/linuxaccessibility/atspiadaptor.cpp b/src/platformsupport/linuxaccessibility/atspiadaptor.cpp
index 8dd7851..f2a8080 100644
--- a/src/platformsupport/linuxaccessibility/atspiadaptor.cpp
+++ b/src/platformsupport/linuxaccessibility/atspiadaptor.cpp
@@ -2393,13 +2393,14 @@
         if (cols > 0) {
             row = index / cols;
             col = index % cols;
-            QAccessibleTableCellInterface *cell = interface->tableInterface()->cellAt(row, col)->tableCellInterface();
-            if (cell) {
-                row = cell->rowIndex();
-                col = cell->columnIndex();
-                rowExtents = cell->rowExtent();
-                colExtents = cell->columnExtent();
-                isSelected = cell->isSelected();
+            QAccessibleInterface *cell = interface->tableInterface()->cellAt(row, col);
+            QAccessibleTableCellInterface *cellIface = cell ? cell->tableCellInterface() : nullptr;
+            if (cellIface) {
+                row = cellIface->rowIndex();
+                col = cellIface->columnIndex();
+                rowExtents = cellIface->rowExtent();
+                colExtents = cellIface->columnExtent();
+                isSelected = cellIface->isSelected();
                 success = true;
             }
         }
@@ -2410,12 +2411,22 @@
     } else if (function == QLatin1String("GetColumnExtentAt")) {
         int row = message.arguments().at(0).toInt();
         int column = message.arguments().at(1).toInt();
-        connection.send(message.createReply(interface->tableInterface()->cellAt(row, column)->tableCellInterface()->columnExtent()));
+        int columnExtent = 0;
+        QAccessibleInterface *cell = interface->tableInterface()->cellAt(row, column);
+        QAccessibleTableCellInterface *cellIface = cell ? cell->tableCellInterface() : nullptr;
+        if (cellIface)
+            columnExtent = cellIface->columnExtent();
+        connection.send(message.createReply(columnExtent));
 
     } else if (function == QLatin1String("GetRowExtentAt")) {
         int row = message.arguments().at(0).toInt();
         int column = message.arguments().at(1).toInt();
-        connection.send(message.createReply(interface->tableInterface()->cellAt(row, column)->tableCellInterface()->rowExtent()));
+        int rowExtent = 0;
+        QAccessibleInterface *cell = interface->tableInterface()->cellAt(row, column);
+        QAccessibleTableCellInterface *cellIface = cell ? cell->tableCellInterface() : nullptr;
+        if (cellIface)
+            rowExtent = cellIface->rowExtent();
+        connection.send(message.createReply(rowExtent));
 
     } else if (function == QLatin1String("GetColumnHeader")) {
         int column = message.arguments().at(0).toInt();
@@ -2455,8 +2466,12 @@
     } else if (function == QLatin1String("IsSelected")) {
         int row = message.arguments().at(0).toInt();
         int column = message.arguments().at(1).toInt();
-        QAccessibleTableCellInterface* cell = interface->tableInterface()->cellAt(row, column)->tableCellInterface();
-        connection.send(message.createReply(cell->isSelected()));
+        bool isSelected = false;
+        QAccessibleInterface *cell = interface->tableInterface()->cellAt(row, column);
+        QAccessibleTableCellInterface *cellIface = cell ? cell->tableCellInterface() : nullptr;
+        if (cellIface)
+            isSelected = cellIface->isSelected();
+        connection.send(message.createReply(isSelected));
     } else if (function == QLatin1String("AddColumnSelection")) {
         int column = message.arguments().at(0).toInt();
         connection.send(message.createReply(interface->tableInterface()->selectColumn(column)));



Attachment:
OpenPGP_0x9D4AD35BEA273DCA.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature






















					Reply via email to