From f5f2122cf1c9409dc0848e97b190b32052033107 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 13 Aug 2018 15:29:16 +0200
Subject: [PATCH] Fix possible heap corruption in QXmlStream
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.

Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 6256729a6da532079505edfe4c56a6ef29cd8ab8)
Reviewed-By: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Last-Update: 2018-09-25

Gbp-Pq: Name fix_possible_heap_corruption_in_qxmlstream.patch
---
 src/corelib/serialization/qxmlstream_p.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 4157fbbd0..f8b1ede94 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -1250,7 +1250,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
-- 
2.30.2