fix crash in QXmlStreamReader

this fixes a possible off-by-one data corruption which apparently is
only triggered in rare circumstances.

The problem was: We were checking whether we would need to reallocate
the stack (line 1245), but sometimes were incrementing tos (line 1278)
and then accessing the state stack at an out-of-bounds position (line
1951).

Additionally, adapt the qlalr generator for changes made to
qxmlstream_p.h directly and recreate that file with qlalr.

Reviewed-by: Frans Englich
Reviewed-by: Roberto Raggi
Task-number: QTBUG-9196

1 files changed, 12 insertions, 0 deletions

diff --git a/tests/auto/qxmlstream/tst_qxmlstream.cpp b/tests/auto/qxmlstream/tst_qxmlstream.cpp
index 27ae089..3c5358c 100644
--- a/tests/auto/qxmlstream/tst_qxmlstream.cpp
+++ b/tests/auto/qxmlstream/tst_qxmlstream.cpp
@@ -569,6 +569,7 @@ private slots:
     void clear() const;
     void checkCommentIndentation() const;
     void checkCommentIndentation_data() const;
+    void qtbug9196_crash() const;
 
 private:
     static QByteArray readFile(const QString &filename);
@@ -1528,5 +1529,16 @@ void tst_QXmlStream::checkCommentIndentation() const // task 256468
     QCOMPARE(output, expectedOutput);
 }
 
+void tst_QXmlStream::qtbug9196_crash() const
+{
+    // the following input used to produce a crash in the stream reader
+    QByteArray ba("<a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a>"
+                  "<a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a><a></a>");
+    QXmlStreamReader xml(ba);
+    while (!xml.atEnd()) {
+         xml.readNext();
+    }
+}
+
 #include "tst_qxmlstream.moc"
 // vim: et:ts=4:sw=4:sts=4