Fix potential buffer overrun.

Found by static analysis.  operator[]() accepts index up to
QVariant::UserType-1 but only QVariant::UserType-1 were allocated.

Change-Id: I0691fe268e3ba029441e43bdfcd191400ea21f38
Reviewed-by: Matthew Vogt <matthew.vogt@nokia.com>

diff --git a/src/qml/qml/qqmlvaluetype.cpp b/src/qml/qml/qqmlvaluetype.cpp
index 4086cae..b96c2f6 100644 (file)
--- a/src/qml/qml/qqmlvaluetype.cpp
+++ b/src/qml/qml/qqmlvaluetype.cpp
@@ -49,13 +49,13 @@ QT_BEGIN_NAMESPACE
 
 QQmlValueTypeFactory::QQmlValueTypeFactory()
 {
-    for (unsigned int ii = 0; ii < (QVariant::UserType - 1); ++ii)
+    for (unsigned int ii = 0; ii < QVariant::UserType; ++ii)
         valueTypes[ii] = 0;
 }
 
 QQmlValueTypeFactory::~QQmlValueTypeFactory()
 {
-    for (unsigned int ii = 0; ii < (QVariant::UserType - 1); ++ii)
+    for (unsigned int ii = 0; ii < QVariant::UserType; ++ii)
         delete valueTypes[ii];
 }
 

diff --git a/src/qml/qml/qqmlvaluetype_p.h b/src/qml/qml/qqmlvaluetype_p.h
index 6641a40..776847a 100644 (file)
--- a/src/qml/qml/qqmlvaluetype_p.h
+++ b/src/qml/qml/qqmlvaluetype_p.h
@@ -164,7 +164,7 @@ public:
     }
 
 private:
-    mutable QQmlValueType *valueTypes[QVariant::UserType - 1];
+    mutable QQmlValueType *valueTypes[QVariant::UserType];
 };
 
 class Q_QML_PRIVATE_EXPORT QQmlPointFValueType : public QQmlValueTypeBase<QPointF>