From c149fd232daa4c62b0c39d603fe660104ceb92b5 Mon Sep 17 00:00:00 2001
From: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Date: Wed, 18 Nov 2020 12:20:01 +0100
Subject: QXmlStream: sanitize input before building a QChar

The result of getChar() may be a combination of a token category
and a code unit, like `((LETTER << 16) | c)`. Constructing a
QChar out of it requires masking the category out. This was already
done in a few code paths but missing in others.

Change-Id: I186fb01973a1badd425b3a6811843d8a40b13a6a
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/corelib/serialization/qxmlstream.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
index 7a4a6ed3e5..e56877082b 100644
--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
@@ -1189,7 +1189,7 @@ inline int QXmlStreamReaderPrivate::fastScanLiteralContent()
                 putChar(c);
                 return n;
             }
-            textBuffer += QChar(c);
+            textBuffer += QChar(ushort(c));
             ++n;
         }
     }
@@ -1345,7 +1345,7 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
             }
             Q_FALLTHROUGH();
         default:
-            textBuffer += QChar(c);
+            textBuffer += QChar(ushort(c));
             ++n;
         }
     }
-- 
cgit v1.2.3