Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.

Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 6256729a6da532079505edfe4c56a6ef29cd8ab8)
Reviewed-By: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Last-Update: 2018-09-25

Gbp-Pq: Name fix_possible_heap_corruption_in_qxmlstream.patch

diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 4157fbbd0e0395d8ab2f83a65c39924f8f77c9c6..f8b1ede9439bcd1f6112c324da4639cfe92691d7 100644 (file)
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -1250,7 +1250,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];