From 0948393df9b9046db5c3c92a12698aee056d8483 Mon Sep 17 00:00:00 2001 From: Peter Hartmann Date: Fri, 23 Apr 2010 16:12:10 +0200 Subject: fix crash in QXmlStreamReader this fixes a possible off-by-one data corruption which apparently is only triggered in rare circumstances. The problem was: We were checking whether we would need to reallocate the stack (line 1245), but sometimes were incrementing tos (line 1278) and then accessing the state stack at an out-of-bounds position (line 1951). Additionally, adapt the qlalr generator for changes made to qxmlstream_p.h directly and recreate that file with qlalr. Reviewed-by: Frans Englich Reviewed-by: Roberto Raggi Task-number: QTBUG-9196 --- src/corelib/xml/qxmlstream.g | 2 +- src/corelib/xml/qxmlstream_p.h | 4 ++-- tests/auto/qxmlstream/tst_qxmlstream.cpp | 12 ++++++++++++ util/qlalr/cppgenerator.cpp | 2 +- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g index 1b882e0..e91408f 100644 --- a/src/corelib/xml/qxmlstream.g +++ b/src/corelib/xml/qxmlstream.g @@ -748,7 +748,7 @@ bool QXmlStreamReaderPrivate::parse() state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size) + if (++tos == stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h index ac421cf..f6ab3a1 100644 --- a/src/corelib/xml/qxmlstream_p.h +++ b/src/corelib/xml/qxmlstream_p.h @@ -61,7 +61,7 @@ class QXmlStreamReader_Table { public: - enum { + enum VariousConstants { EOF_SYMBOL = 0, AMPERSAND = 5, ANY = 41, @@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse() state_stack[tos] = 0; return true; } else if (act > 0) { - if (++tos == stack_size) + if (++tos == stack_size-1) reallocateStack(); Value &val = sym_stack[tos]; diff --git a/tests/auto/qxmlstream/tst_qxmlstream.cpp b/tests/auto/qxmlstream/tst_qxmlstream.cpp index 27ae089..3c5358c 100644 --- a/tests/auto/qxmlstream/tst_qxmlstream.cpp +++ b/tests/auto/qxmlstream/tst_qxmlstream.cpp @@ -569,6 +569,7 @@ private slots: void clear() const; void checkCommentIndentation() const; void checkCommentIndentation_data() const; + void qtbug9196_crash() const; private: static QByteArray readFile(const QString &filename); @@ -1528,5 +1529,16 @@ void tst_QXmlStream::checkCommentIndentation() const // task 256468 QCOMPARE(output, expectedOutput); } +void tst_QXmlStream::qtbug9196_crash() const +{ + // the following input used to produce a crash in the stream reader + QByteArray ba("" + ""); + QXmlStreamReader xml(ba); + while (!xml.atEnd()) { + xml.readNext(); + } +} + #include "tst_qxmlstream.moc" // vim: et:ts=4:sw=4:sts=4 diff --git a/util/qlalr/cppgenerator.cpp b/util/qlalr/cppgenerator.cpp index f52a86f..45de51c 100644 --- a/util/qlalr/cppgenerator.cpp +++ b/util/qlalr/cppgenerator.cpp @@ -355,7 +355,7 @@ void CppGenerator::operator () () out << startIncludeGuard(grammar.merged_output) << endl; if (copyright) { - out << "#if defined(Q_OS_VXWORKS) && defined(ERROR)" << endl + out << "#if defined(ERROR)" << endl << "# undef ERROR" << endl << "#endif" << endl << endl; } -- cgit v0.12