From dffba486d1e63e3034596607f58801b2719a7b6c Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Fri, 6 May 2022 09:35:42 +0200
Subject: [PATCH] QXmlStreamReader: port Value::prefix from int to qint16

The prefix is a part of a name, the length of which is bounded to 4k
in fastScanName(), so qint16 suffices.

The length field also shouldn't stay int, but that's a different
patch, because it's just a relative offset to pos, and so isn't as
easily overflown.

This shrinks the Value struct a tiny bit; created QTBUG-103306 to
track ideas to shrink it further.

Pick-to: 6.3 6.2
Task-number: QTBUG-102465
Change-Id: I579815e72501a091360f55e750af63cb4dc5a5a7
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/corelib/serialization/qxmlstream.cpp | 6 +++---
 src/corelib/serialization/qxmlstream_p.h | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp
index 17f75bb142..3323ff0707 100644
--- a/src/corelib/serialization/qxmlstream.cpp
+++ b/src/corelib/serialization/qxmlstream.cpp
@@ -1279,14 +1279,14 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList()
     return n;
 }
 
-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
+inline int QXmlStreamReaderPrivate::fastScanName(qint16 *prefix)
 {
     int n = 0;
     uint c;
     while ((c = getChar()) != StreamEOF) {
         if (n >= 4096) {
             // This is too long to be a sensible name, and
-            // can exhaust memory
+            // can exhaust memory, or the range of decltype(*prefix)
             return 0;
         }
         switch (c) {
@@ -1325,7 +1325,7 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix)
         case ':':
             if (prefix) {
                 if (*prefix == 0) {
-                    *prefix = n+2;
+                    *prefix = qint16(n + 2);
                 } else { // only one colon allowed according to the namespace spec.
                     putChar(c);
                     return n;
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 60558ab189..4897735796 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -411,7 +411,7 @@ public:
     struct Value {
         qsizetype pos;  // offset into textBuffer
         int len;
-        int prefix;
+        qint16 prefix;  // prefix of a name (as in "prefix:name") limited to 4k in fastScanName()
         ushort c;
     };
 
@@ -507,7 +507,7 @@ public:
     int fastScanLiteralContent();
     int fastScanSpace();
     int fastScanContentCharList();
-    int fastScanName(int *prefix = nullptr);
+    int fastScanName(qint16 *prefix = nullptr);
     inline int fastScanNMTOKEN();