fix crash in QXmlStreamReader

this fixes a possible off-by-one data corruption which apparently is
only triggered in rare circumstances.

The problem was: We were checking whether we would need to reallocate
the stack (line 1245), but sometimes were incrementing tos (line 1278)
and then accessing the state stack at an out-of-bounds position (line
1951).

Additionally, adapt the qlalr generator for changes made to
qxmlstream_p.h directly and recreate that file with qlalr.

Reviewed-by: Frans Englich
Reviewed-by: Roberto Raggi
Task-number: QTBUG-9196

2 files changed, 3 insertions, 3 deletions

diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g
index 1b882e0..e91408f 100644
--- a/src/corelib/xml/qxmlstream.g
+++ b/src/corelib/xml/qxmlstream.g
@@ -748,7 +748,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size)
+            if (++tos == stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h
index ac421cf..f6ab3a1 100644
--- a/src/corelib/xml/qxmlstream_p.h
+++ b/src/corelib/xml/qxmlstream_p.h
@@ -61,7 +61,7 @@
 class QXmlStreamReader_Table
 {
 public:
-  enum {
+  enum VariousConstants {
     EOF_SYMBOL = 0,
     AMPERSAND = 5,
     ANY = 41,
@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size)
+            if (++tos == stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];