Fix memory leak in QDomDocument DTD notation declaration handler

The created notation node's reference count needs to be decremented to 0
before it is added as a child, because appendChild will increment the
reference count to correct value of 1. Also added autotest DTDNotationDecl
to tst_qdom to expose the leak when executed under valgrind memcheck.
There was no previous test coverage for the notation declarations in DTD.

Task-number: QTBUG-22588
Change-Id: I876186d1277ceb4414f803b58b62f51cc1474367
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>

diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
index 10f48b1..d8a7bc5 100644 (file)
--- a/src/xml/dom/qdom.cpp
+++ b/src/xml/dom/qdom.cpp
@@ -7553,6 +7553,8 @@ bool QDomHandler::externalEntityDecl(const QString &name, const QString &publicI
 bool QDomHandler::notationDecl(const QString & name, const QString & publicId, const QString & systemId)
 {
     QDomNotationPrivate* n = new QDomNotationPrivate(doc, 0, name, publicId, systemId);
+    // keep the refcount balanced: appendChild() does a ref anyway.
+    n->ref.deref();
     doc->doctype()->appendChild(n);
     return true;
 }

diff --git a/tests/auto/xml/dom/qdom/tst_qdom.cpp b/tests/auto/xml/dom/qdom/tst_qdom.cpp
index 44af4a0..38d2d76 100644 (file)
--- a/tests/auto/xml/dom/qdom/tst_qdom.cpp
+++ b/tests/auto/xml/dom/qdom/tst_qdom.cpp
@@ -125,6 +125,7 @@ private slots:
 
     void taskQTBUG4595_dontAssertWhenDocumentSpecifiesUnknownEncoding() const;
     void cloneDTD_QTBUG8398() const;
+    void DTDNotationDecl();
 
     void cleanupTestCase() const;
 
@@ -1923,5 +1924,28 @@ void tst_QDom::cloneDTD_QTBUG8398() const
     domDocument2.save(stream, 0);
     QCOMPARE(output, expected);
 }
+
+void tst_QDom::DTDNotationDecl()
+{
+    QString dtd("<?xml version='1.0' encoding='UTF-8'?>\n"
+                   "<!DOCTYPE first [\n"
+                   "<!NOTATION gif SYSTEM 'image/gif'>\n"
+                   "<!NOTATION jpeg SYSTEM 'image/jpeg'>\n"
+                   "]>\n"
+                   "<first/>\n");
+
+    QDomDocument domDocument;
+    QVERIFY(domDocument.setContent(dtd));
+
+    const QDomDocumentType doctype = domDocument.doctype();
+    QCOMPARE(doctype.notations().size(), 2);
+
+    QVERIFY(doctype.namedItem(QString("gif")).isNotation());
+    QCOMPARE(doctype.namedItem(QString("gif")).toNotation().systemId(), QString("image/gif"));
+
+    QVERIFY(doctype.namedItem(QString("jpeg")).isNotation());
+    QCOMPARE(doctype.namedItem(QString("jpeg")).toNotation().systemId(), QString("image/jpeg"));
+}
+
 QTEST_MAIN(tst_QDom)
 #include "tst_qdom.moc"