From b9f96cacc99c8a242f45f4581843a6b1c67501f4 Mon Sep 17 00:00:00 2001
From: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Date: Mon, 27 May 2019 19:00:09 +0200
Subject: QRegExp: remove an out of bounds access into QString

... spotted with the brand-new checks for that in QCharRef.

The rx[i] == ~~~ check is clearly wrong, as rx is the regexp
we're building and `i` was not supposed to index into it.

The intended meaning was wc[i] == ~~~, testing if we were seeing
the closing bracket of a character set. We need to check for
that immediately for dealing with the special syntax of []...] where
the ] belongs to the character set (it can't be the closing one
as character sets cannot be empty).

Fix and add a regression test. Bonus: this code was almost
unchanged since 2009.

Change-Id: I958cd87fc25558e9d202d18b3dd4a35d0db16d8d
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: hjk <hjk@qt.io>
---
 src/corelib/tools/qregexp.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/corelib/tools')

diff --git a/src/corelib/tools/qregexp.cpp b/src/corelib/tools/qregexp.cpp
index 87b30c952e..ef24c952eb 100644
--- a/src/corelib/tools/qregexp.cpp
+++ b/src/corelib/tools/qregexp.cpp
@@ -825,7 +825,7 @@ static QString wc2rx(const QString &wc_str, const bool enableEscaping)
                 if (wc[i] == QLatin1Char('^'))
                     rx += wc[i++];
                 if (i < wclen) {
-                    if (rx[i] == QLatin1Char(']'))
+                    if (wc[i] == QLatin1Char(']'))
                         rx += wc[i++];
                     while (i < wclen && wc[i] != QLatin1Char(']')) {
                         if (wc[i] == QLatin1Char('\\'))
-- 
cgit v1.2.3