Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.

Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Gbp-Pq: Name cve_2018-15518.patch

diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index 6604b9400614742e661e211e835a30dea91db12d..96a2346b17d0c71df9d0d0dd67d76244cd03a911 100644 (file)
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];