File CVE-2018-15518.patch of Package libqt4

Author:     Allan Sandfeld Jensen <allan.jensen@qt.io>
AuthorDate: 2018-08-13 15:29:16 +0200
Commit:     Allan Sandfeld Jensen <allan.jensen@qt.io>
CommitDate: 2018-08-13 15:10:11 +0000

Fix possible heap corruption in QXmlStream

The value of 'tos' at the check might already be on the last element,
so triggering stack expansion on the second last element is too late.

Change-Id: Ib3ab2662d4d27a71effe9e988b9e172923af2908
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

--- qt-everywhere-opensource-src-4.8.7.orig/src/corelib/xml/qxmlstream_p.h
+++ qt-everywhere-opensource-src-4.8.7/src/corelib/xml/qxmlstream_p.h
@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse()
             state_stack[tos] = 0;
             return true;
         } else if (act > 0) {
-            if (++tos == stack_size-1)
+            if (++tos >= stack_size-1)
                 reallocateStack();
 
             Value &val = sym_stack[tos];
openSUSE Build Service is sponsored by