From 38c0ed9870fc6bd8ba759c283eaf2bffb61c2e3f Mon Sep 17 00:00:00 2001
From: Erik Verbruggen <erik.verbruggen@nokia.com>
Date: Thu, 21 Jan 2010 16:45:05 +0100
Subject: Fixed possible array index-out-of-bounds crash in error reporting.

---
 src/declarative/qml/parser/qmljs.g         | 7 ++++++-
 src/declarative/qml/parser/qmljsparser.cpp | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/declarative/qml/parser/qmljs.g b/src/declarative/qml/parser/qmljs.g
index 7fbb3f6..90949d5 100644
--- a/src/declarative/qml/parser/qmljs.g
+++ b/src/declarative/qml/parser/qmljs.g
@@ -2985,7 +2985,12 @@ PropertyNameAndValueListOpt: PropertyNameAndValueList ;
         token_buffer[1].loc   = yylloc  = location(lexer);
 
         if (t_action(errorState, yytoken)) {
-            const QString msg = qApp->translate("QmlParser", "Unexpected token `%1'").arg(QLatin1String(spell[token_buffer[0].token]));
+            QString msg;
+            int token = token_buffer[0].token;
+            if (token < 0 || token >= TERMINAL_COUNT)
+                msg = qApp->translate("QmlParser", "Syntax error");
+            else
+                msg = qApp->translate("QmlParser", "Unexpected token `%1'").arg(QLatin1String(spell[token]));
             diagnostic_messages.append(DiagnosticMessage(DiagnosticMessage::Error, token_buffer[0].loc, msg));
 
             action = errorState;
diff --git a/src/declarative/qml/parser/qmljsparser.cpp b/src/declarative/qml/parser/qmljsparser.cpp
index c2788f4..856d06d 100644
--- a/src/declarative/qml/parser/qmljsparser.cpp
+++ b/src/declarative/qml/parser/qmljsparser.cpp
@@ -1761,7 +1761,12 @@ case 340: {
         token_buffer[1].loc   = yylloc  = location(lexer);
 
         if (t_action(errorState, yytoken)) {
-            const QString msg = qApp->translate("QmlParser", "Unexpected token `%1'").arg(QLatin1String(spell[token_buffer[0].token]));
+            QString msg;
+            int token = token_buffer[0].token;
+            if (token < 0 || token >= TERMINAL_COUNT)
+                msg = qApp->translate("QmlParser", "Syntax error");
+            else
+                msg = qApp->translate("QmlParser", "Unexpected token `%1'").arg(QLatin1String(spell[token]));
             diagnostic_messages.append(DiagnosticMessage(DiagnosticMessage::Error, token_buffer[0].loc, msg));
 
             action = errorState;
-- 
cgit v0.12