diff options
author | Olivier Goffart <ogoffart@trolltech.com> | 2009-12-01 19:58:44 (GMT) |
---|---|---|
committer | Olivier Goffart <ogoffart@trolltech.com> | 2009-12-01 19:58:44 (GMT) |
commit | 480b395bd652a4ac6e3f262bd99a045dff95c4ac (patch) | |
tree | fc149cdab904c5ba8bb59b67a3192d2002c71133 /src/corelib/tools | |
parent | 537bff8c020c8fd2c150b2821d1cc035ee96f84f (diff) | |
download | Qt-480b395bd652a4ac6e3f262bd99a045dff95c4ac.zip Qt-480b395bd652a4ac6e3f262bd99a045dff95c4ac.tar.gz Qt-480b395bd652a4ac6e3f262bd99a045dff95c4ac.tar.bz2 |
Fix crash in QVector::reserve when reserving smaller size on a shared vector
We cannot call realloc with aalloc smaller than asize.
Also include obvious optimisation: take the qMin computation out of
the loop.
Task-number: QTBUG-6416
Reviewed-by: Thiago
Diffstat (limited to 'src/corelib/tools')
-rw-r--r-- | src/corelib/tools/qvector.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h index f0de98d..201e7b3 100644 --- a/src/corelib/tools/qvector.h +++ b/src/corelib/tools/qvector.h @@ -324,7 +324,7 @@ void QVector<T>::detach_helper() { realloc(d->size, d->alloc); } template <typename T> void QVector<T>::reserve(int asize) -{ if (asize > d->alloc || d->ref != 1) realloc(d->size, asize); d->capacity = 1; } +{ if (asize > d->alloc) realloc(d->size, asize); if (d->ref == 1) d->capacity = 1; } template <typename T> void QVector<T>::resize(int asize) { realloc(asize, (asize > d->alloc || (!d->capacity && asize < d->size && asize < (d->alloc >> 1))) ? @@ -441,6 +441,7 @@ void QVector<T>::free(Data *x) template <typename T> void QVector<T>::realloc(int asize, int aalloc) { + Q_ASSERT(asize <= aalloc); T *pOld; T *pNew; union { QVectorData *d; Data *p; } x; @@ -496,7 +497,8 @@ void QVector<T>::realloc(int asize, int aalloc) pOld = p->array + x.d->size; pNew = x.p->array + x.d->size; // copy objects from the old array into the new array - while (x.d->size < qMin(asize, d->size)) { + const int toMove = qMin(asize, d->size); + while (x.d->size < toMove) { new (pNew++) T(*pOld++); x.d->size++; } |