From 5db09531c4d7856e12ba20b2ef6091a758bb0982 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 13 Aug 2018 15:29:16 +0200
Subject: [PATCH] Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.

Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

Gbp-Pq: Name cve_2018-15518.patch
---
 src/corelib/xml/qxmlstream_p.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index 6604b9400..96a2346b1 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
-- 
2.30.2