32 lines
1.1 KiB
Diff
32 lines
1.1 KiB
Diff
|
From 6256729a6da532079505edfe4c56a6ef29cd8ab8 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
||
|
|
Date: Mon, 13 Aug 2018 15:29:16 +0200
|
||
|
|
Subject: [PATCH] Fix possible heap corruption in QXmlStream
|
||
|
|
|
||
|
|
The value of 'tos' at the check might already be on the last element,
|
||
|
|
so triggering stack expansion on the second last element is too late.
|
||
|
|
|
||
|
|
Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
|
||
|
|
Reviewed-by: Richard J. Moore <rich@kde.org>
|
||
|
|
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||
|
|
---
|
||
|
|
src/corelib/serialization/qxmlstream_p.h | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
|
||
|
|
index 4157fbbd0e0..f8b1ede9439 100644
|
||
|
|
--- a/src/corelib/serialization/qxmlstream_p.h
|
||
|
|
+++ b/src/corelib/serialization/qxmlstream_p.h
|
||
|
|
@@ -1250,7 +1250,7 @@ bool QXmlStreamReaderPrivate::parse()
|
||
|
|
state_stack[tos] = 0;
|
||
|
|
return true;
|
||
|
|
} else if (act > 0) {
|
||
|
|
- if (++tos == stack_size-1)
|
||
|
|
+ if (++tos >= stack_size-1)
|
||
|
|
reallocateStack();
|
||
|
|
|
||
|
|
Value &val = sym_stack[tos];
|
||
|
|
--
|
||
|
|
2.16.3
|
||
|
|
|