From b20d6cded7be8b86bed93ee705420bfb01700c5b Mon Sep 17 00:00:00 2001
From: Joni Poikelin <joni.poikelin@theqtcompany.com>
Date: Thu, 29 Oct 2015 09:43:33 +0200
Subject: [PATCH] Fix QDomNamedNodeMap::item crash with negative index

Task-number: QTBUG-49113
Change-Id: I62dee4c112b73a25628657bc3d2ae675f26b87d8
Reviewed-by: David Faure <david.faure@kdab.com>
---
 src/xml/dom/qdom.cpp                 | 2 +-
 tests/auto/xml/dom/qdom/tst_qdom.cpp | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
index 943d5c28a45..5e4946a814c 100644
--- a/src/xml/dom/qdom.cpp
+++ b/src/xml/dom/qdom.cpp
@@ -3142,7 +3142,7 @@ QDomNodePrivate* QDomNamedNodeMapPrivate::removeNamedItem(const QString& name)
 
 QDomNodePrivate* QDomNamedNodeMapPrivate::item(int index) const
 {
-    if (index >= length())
+    if (index >= length() || index < 0)
         return 0;
     return *(map.constBegin() + index);
 }
diff --git a/tests/auto/xml/dom/qdom/tst_qdom.cpp b/tests/auto/xml/dom/qdom/tst_qdom.cpp
index a4a3f1f6b34..04cd0b300f5 100644
--- a/tests/auto/xml/dom/qdom/tst_qdom.cpp
+++ b/tests/auto/xml/dom/qdom/tst_qdom.cpp
@@ -119,6 +119,7 @@ private slots:
     void cloneDTD_QTBUG8398() const;
     void DTDNotationDecl();
     void DTDEntityDecl();
+    void QTBUG49113_dontCrashWithNegativeIndex() const;
 
     void cleanupTestCase() const;
 
@@ -1979,5 +1980,13 @@ void tst_QDom::DTDEntityDecl()
     QCOMPARE(doctype.namedItem(QString("logo")).toEntity().notationName(), QString("gif"));
 }
 
+void tst_QDom::QTBUG49113_dontCrashWithNegativeIndex() const
+{
+    QDomDocument doc;
+    QDomElement elem = doc.appendChild(doc.createElement("root")).toElement();
+    QDomNode node = elem.attributes().item(-1);
+    QVERIFY(node.isNull());
+}
+
 QTEST_MAIN(tst_QDom)
 #include "tst_qdom.moc"