From 4285a99b14f05b604c266fdd33cf8edff7ff3ef3 Mon Sep 17 00:00:00 2001 From: Martin Jones Date: Mon, 28 May 2012 15:32:11 +1000 Subject: [PATCH] Fix potential buffer overrun. Found by static analysis. operator[]() accepts index up to QVariant::UserType-1 but only QVariant::UserType-1 were allocated. Change-Id: I0691fe268e3ba029441e43bdfcd191400ea21f38 Reviewed-by: Matthew Vogt --- src/qml/qml/qqmlvaluetype.cpp | 4 ++-- src/qml/qml/qqmlvaluetype_p.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/qml/qml/qqmlvaluetype.cpp b/src/qml/qml/qqmlvaluetype.cpp index 4086cae..b96c2f6 100644 --- a/src/qml/qml/qqmlvaluetype.cpp +++ b/src/qml/qml/qqmlvaluetype.cpp @@ -49,13 +49,13 @@ QT_BEGIN_NAMESPACE QQmlValueTypeFactory::QQmlValueTypeFactory() { - for (unsigned int ii = 0; ii < (QVariant::UserType - 1); ++ii) + for (unsigned int ii = 0; ii < QVariant::UserType; ++ii) valueTypes[ii] = 0; } QQmlValueTypeFactory::~QQmlValueTypeFactory() { - for (unsigned int ii = 0; ii < (QVariant::UserType - 1); ++ii) + for (unsigned int ii = 0; ii < QVariant::UserType; ++ii) delete valueTypes[ii]; } diff --git a/src/qml/qml/qqmlvaluetype_p.h b/src/qml/qml/qqmlvaluetype_p.h index 6641a40..776847a 100644 --- a/src/qml/qml/qqmlvaluetype_p.h +++ b/src/qml/qml/qqmlvaluetype_p.h @@ -164,7 +164,7 @@ public: } private: - mutable QQmlValueType *valueTypes[QVariant::UserType - 1]; + mutable QQmlValueType *valueTypes[QVariant::UserType]; }; class Q_QML_PRIVATE_EXPORT QQmlPointFValueType : public QQmlValueTypeBase -- 2.7.4