Fix memory leak in QDomDocument DTD entity declaration handler

The created entity node's reference count needs to be decremented to 0
before it is added as a child, because appendChild will increment the
reference count to correct value of 1. Also added autotest DTDEntityDecl
to tst_qdom to expose the leak when executed under valgrind memcheck.
There was no previous direct test case for unparsed entity declarations in
DTD, only indirect coverage via regression test cloneDTD_QTBUG8398.

Task-number: QTBUG-22587
Change-Id: I394ae9fc32d5b84e4ca287c5db4dd7effde6128b
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>

diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
index d8a7bc5..2563871 100644 (file)
--- a/src/xml/dom/qdom.cpp
+++ b/src/xml/dom/qdom.cpp
@@ -7541,6 +7541,8 @@ bool QDomHandler::unparsedEntityDecl(const QString &name, const QString &publicI
 {
     QDomEntityPrivate* e = new QDomEntityPrivate(doc, 0, name,
             publicId, systemId, notationName);
+    // keep the refcount balanced: appendChild() does a ref anyway.
+    e->ref.deref();
     doc->doctype()->appendChild(e);
     return true;
 }

diff --git a/tests/auto/xml/dom/qdom/tst_qdom.cpp b/tests/auto/xml/dom/qdom/tst_qdom.cpp
index 38d2d76..aa9e92b 100644 (file)
--- a/tests/auto/xml/dom/qdom/tst_qdom.cpp
+++ b/tests/auto/xml/dom/qdom/tst_qdom.cpp
@@ -126,6 +126,7 @@ private slots:
     void taskQTBUG4595_dontAssertWhenDocumentSpecifiesUnknownEncoding() const;
     void cloneDTD_QTBUG8398() const;
     void DTDNotationDecl();
+    void DTDEntityDecl();
 
     void cleanupTestCase() const;
 
@@ -1947,5 +1948,29 @@ void tst_QDom::DTDNotationDecl()
     QCOMPARE(doctype.namedItem(QString("jpeg")).toNotation().systemId(), QString("image/jpeg"));
 }
 
+void tst_QDom::DTDEntityDecl()
+{
+    QString dtd("<?xml version='1.0' encoding='UTF-8'?>\n"
+                   "<!DOCTYPE first [\n"
+                   "<!ENTITY secondFile SYSTEM 'second.xml'>\n"
+                   "<!ENTITY logo SYSTEM \"http://www.w3c.org/logo.gif\" NDATA gif>"
+                   "]>\n"
+                   "<first/>\n");
+
+    QDomDocument domDocument;
+    QVERIFY(domDocument.setContent(dtd));
+
+    const QDomDocumentType doctype = domDocument.doctype();
+    QCOMPARE(doctype.entities().count(), 2);
+
+    QVERIFY(doctype.namedItem(QString("secondFile")).isEntity());
+    QCOMPARE(doctype.namedItem(QString("secondFile")).toEntity().systemId(), QString("second.xml"));
+    QCOMPARE(doctype.namedItem(QString("secondFile")).toEntity().notationName(), QString());
+
+    QVERIFY(doctype.namedItem(QString("logo")).isEntity());
+    QCOMPARE(doctype.namedItem(QString("logo")).toEntity().systemId(), QString("http://www.w3c.org/logo.gif"));
+    QCOMPARE(doctype.namedItem(QString("logo")).toEntity().notationName(), QString("gif"));
+}
+
 QTEST_MAIN(tst_QDom)
 #include "tst_qdom.moc"