Fix crash in QVector::reserve when reserving smaller size on a shared vector

We cannot call realloc with aalloc smaller than asize.

Also include obvious optimisation: take the qMin computation out of
the loop.

Task-number: QTBUG-6416
Reviewed-by: Thiago

1 files changed, 4 insertions, 2 deletions

diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h
index f0de98dd85..201e7b3103 100644
--- a/src/corelib/tools/qvector.h
+++ b/src/corelib/tools/qvector.h
@@ -324,7 +324,7 @@ void QVector<T>::detach_helper()
 { realloc(d->size, d->alloc); }
 template <typename T>
 void QVector<T>::reserve(int asize)
-{ if (asize > d->alloc || d->ref != 1) realloc(d->size, asize); d->capacity = 1; }
+{ if (asize > d->alloc) realloc(d->size, asize); if (d->ref == 1) d->capacity = 1; }
 template <typename T>
 void QVector<T>::resize(int asize)
 { realloc(asize, (asize > d->alloc || (!d->capacity && asize < d->size && asize < (d->alloc >> 1))) ?
@@ -441,6 +441,7 @@ void QVector<T>::free(Data *x)
 template <typename T>
 void QVector<T>::realloc(int asize, int aalloc)
 {
+    Q_ASSERT(asize <= aalloc);
     T *pOld;
     T *pNew;
     union { QVectorData *d; Data *p; } x;
@@ -496,7 +497,8 @@ void QVector<T>::realloc(int asize, int aalloc)
             pOld = p->array + x.d->size;
             pNew = x.p->array + x.d->size;
             // copy objects from the old array into the new array
-            while (x.d->size < qMin(asize, d->size)) {
+            const int toMove = qMin(asize, d->size);
+            while (x.d->size < toMove) {
                 new (pNew++) T(*pOld++);
                 x.d->size++;
             }