Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element, so triggering stack expansion on the second last element is too late. Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908 Reviewed-by: Richard J. Moore <[email protected]> Reviewed-by: Thiago Macieira <[email protected]> (cherry picked from commit 6256729a6da532079505edfe4c56a6ef29cd8ab8)
author: Allan Sandfeld Jensen <[email protected]> 2018-08-13 15:29:16 +0200
committer: Allan Sandfeld Jensen <[email protected]> 2018-09-04 16:04:09 +0000
commit: 28a6e642af2ccb454dd019f551c2908753f76f08 (patch)
tree: bc17c83fa56b23ee3dfc71d4d969ce311361f7b5
parent: 8193340a44fd835cee029e63a31cfcab8ef6fd55 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index d22a697e5db..1635d31e382 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -1235,7 +1235,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
author	Allan Sandfeld Jensen <[email protected]>	2018-08-13 15:29:16 +0200
committer	Allan Sandfeld Jensen <[email protected]>	2018-09-04 16:04:09 +0000
commit	28a6e642af2ccb454dd019f551c2908753f76f08 (patch)
tree	bc17c83fa56b23ee3dfc71d4d969ce311361f7b5
parent	8193340a44fd835cee029e63a31cfcab8ef6fd55 (diff)