QDom: Do not crash on "<a:>text</a:>"

"a:" is not a valid tagname. The function creating the element node
notices that and returns 0, but the parser ignores it and continues,
and then crashes later when processing the "text". This patch aborts
the parsing immediately when creating the element node failed and
fixes the crash.

Merge-request: 2431
Reviewed-by: Olivier Goffart <olivier.goffart@nokia.com>

2 files changed, 5 insertions, 2 deletions

diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
index 1267e7e..662c796 100644
--- a/src/xml/dom/qdom.cpp
+++ b/src/xml/dom/qdom.cpp
@@ -7418,8 +7418,10 @@ bool QDomHandler::startElement(const QString& nsURI, const QString&, const QStri
         n = doc->createElement(qName);
     }
 
-    if (n)
-        n->setLocation(locator->lineNumber(), locator->columnNumber());
+    if (!n)
+        return false;
+
+    n->setLocation(locator->lineNumber(), locator->columnNumber());
 
     node->appendChild(n);
     node = n;
diff --git a/tests/auto/qdom/tst_qdom.cpp b/tests/auto/qdom/tst_qdom.cpp
index 0f6cdaa..8bf7620 100644
--- a/tests/auto/qdom/tst_qdom.cpp
+++ b/tests/auto/qdom/tst_qdom.cpp
@@ -1776,6 +1776,7 @@ void tst_QDom::crashInSetContent() const
     QDomImplementation::setInvalidDataPolicy(QDomImplementation::ReturnNullNode); 
     QDomDocument docImport;
 
+    QCOMPARE(docImport.setContent(QLatin1String("<a:>text</a:>"), true), false);
     QVERIFY(docImport.setContent(QLatin1String("<?xml version=\"1.0\"?><e/>")));
 }