diff options
| author | Peter Hartmann <peter.hartmann@nokia.com> | 2010-04-23 14:12:10 (GMT) |
|---|---|---|
| committer | Peter Hartmann <peter.hartmann@nokia.com> | 2010-04-27 13:27:10 (GMT) |
| commit | 0948393df9b9046db5c3c92a12698aee056d8483 (patch) | |
| tree | b1a8dba2cd9c4d5aaa3971369694ef6486c1495d | |
| parent | daf16a0f6e495aed4e8b68bd4b3fb2eff1c90969 (diff) | |
| download | Qt-0948393df9b9046db5c3c92a12698aee056d8483.zip Qt-0948393df9b9046db5c3c92a12698aee056d8483.tar.gz Qt-0948393df9b9046db5c3c92a12698aee056d8483.tar.bz2 | |
fix crash in QXmlStreamReader
this fixes a possible off-by-one data corruption which apparently is
only triggered in rare circumstances.
The problem was: We were checking whether we would need to reallocate
the stack (line 1245), but sometimes were incrementing tos (line 1278)
and then accessing the state stack at an out-of-bounds position (line
1951).
Additionally, adapt the qlalr generator for changes made to
qxmlstream_p.h directly and recreate that file with qlalr.
Reviewed-by: Frans Englich
Reviewed-by: Roberto Raggi
Task-number: QTBUG-9196
| -rw-r--r-- | src/corelib/xml/qxmlstream.g | 2 | ||||
| -rw-r--r-- | src/corelib/xml/qxmlstream_p.h | 4 | ||||
| -rw-r--r-- | tests/auto/qxmlstream/tst_qxmlstream.cpp | 12 | ||||
| -rw-r--r-- | util/qlalr/cppgenerator.cpp | 2 |
4 files changed, 16 insertions, 4 deletions
diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g index 1b882e0..e91408f 100644 --- a/src/corelib/xml/qxmlstream.g +++ b/src/corelib/xml/qxmlstream.g @@ -748,7 +748,7 @@ bool QXmlStreamReaderPrivate::parse() state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size) + if (++tos == stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h index ac421cf..f6ab3a1 100644 --- a/src/corelib/xml/qxmlstream_p.h +++ b/src/corelib/xml/qxmlstream_p.h @@ -61,7 +61,7 @@ class QXmlStreamReader_Table { public: - enum { + enum VariousConstants { EOF_SYMBOL = 0, AMPERSAND = 5, ANY = 41, @@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse() state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size) + if (++tos == stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; diff --git a/tests/auto/qxmlstream/tst_qxmlstream.cpp b/tests/auto/qxmlstream/tst_qxmlstream.cpp index 27ae089..3c5358c 100644 --- a/tests/auto/qxmlstream/tst_qxmlstream.cpp +++ b/tests/auto/qxmlstream/tst_qxmlstream.cpp @@ -569,6 +569,7 @@ private slots: void clear() const; void checkCommentIndentation() const; void checkCommentIndentation_data() const; + void qtbug9196_crash() const; private: static QByteArray readFile(const QString &filename); @@ -1528,5 +1529,16 @@ void tst_QXmlStream::checkCommentIndentation() const // task 256468 QCOMPARE(output, expectedOutput); } +void tst_QXmlStream::qtbug9196_crash() const +{ + // the following input used to produce a crash in the stream reader + QByteArray ba("<a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a>" + "<a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a></a>"); + QXmlStreamReader xml(ba); + while (!xml.atEnd()) { + xml.readNext(); + } +} + #include "tst_qxmlstream.moc" // vim: et:ts=4:sw=4:sts=4 diff --git a/util/qlalr/cppgenerator.cpp b/util/qlalr/cppgenerator.cpp index f52a86f..45de51c 100644 --- a/util/qlalr/cppgenerator.cpp +++ b/util/qlalr/cppgenerator.cpp @@ -355,7 +355,7 @@ void CppGenerator::operator () () out << startIncludeGuard(grammar.merged_output) << endl; if (copyright) { - out << "#if defined(Q_OS_VXWORKS) && defined(ERROR)" << endl + out << "#if defined(ERROR)" << endl << "# undef ERROR" << endl << "#endif" << endl << endl; } |