Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element, so triggering stack expansion on the second last element is too late. Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908 Reviewed-by: Richard J. Moore <rich@kde.org> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
qt · Aug 13, 2018 · 6256729 · 6256729
1 parent 6854fa7
commit 6256729
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
@@ -1250,7 +1250,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];