summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2018-08-13 15:29:16 +0200
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2018-09-04 16:04:09 +0000
commit28a6e642af2ccb454dd019f551c2908753f76f08 (patch)
treebc17c83fa56b23ee3dfc71d4d969ce311361f7b5
parent8193340a44fd835cee029e63a31cfcab8ef6fd55 (diff)
Fix possible heap corruption in QXmlStream
The value of 'tos' at the check might already be on the last element, so triggering stack expansion on the second last element is too late. Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> (cherry picked from commit 6256729a6da532079505edfe4c56a6ef29cd8ab8)
-rw-r--r--src/corelib/xml/qxmlstream_p.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index d22a697e5d..1635d31e38 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -1235,7 +1235,7 @@ bool QXmlStreamReaderPrivate::parse()
state_stack[tos] = 0;
return true;
} else if (act > 0) {
- if (++tos == stack_size-1)
+ if (++tos >= stack_size-1)
reallocateStack();
Value &val = sym_stack[tos];