Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element, so triggering stack expansion on the second last element is too late. Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> (cherry picked from commit 6256729a6da532079505edfe4c56a6ef29cd8ab8)
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-08-13 15:29:16 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-08-18 21:15:15 +0000
commit: b810bfc25815525ebae75476aa53e16671f1f2c2 (patch)
tree: 45675ed6592df956db7e405a457e5c8e9189f047
parent: 5178a89a6dd8d0bf6e05feb61f51d7a280231c2f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index e6c89e40cd..3636c619e4 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -1243,7 +1243,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-08-13 15:29:16 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-08-18 21:15:15 +0000
commit	b810bfc25815525ebae75476aa53e16671f1f2c2 (patch)
tree	45675ed6592df956db7e405a457e5c8e9189f047
parent	5178a89a6dd8d0bf6e05feb61f51d7a280231c2f (diff)