diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-08-13 15:29:16 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-08-13 15:10:11 +0000 |
| commit | 6256729a6da532079505edfe4c56a6ef29cd8ab8 (patch) | |
| tree | ef8eaa9311e831e894746f5afd518decbf70dfdf /src | |
| parent | 6854fa75f78ec202f1e5dce5bd8adec31d1dbc7e (diff) | |
Fix possible heap corruption in QXmlStream
The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.
Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/corelib/serialization/qxmlstream_p.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h index 4157fbbd0e..f8b1ede943 100644 --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h @@ -1250,7 +1250,7 @@ bool QXmlStreamReaderPrivate::parse() state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size-1) + if (++tos >= stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; |