[Git][wxwidgets/wxwidgets][3.2] 64 commits: Avoid harmless -Wunused-variable in unit tests

1 view
Skip to first unread message

Vadim Zeitlin (@_VZ_)

unread,
Jun 1, 2026, 8:32:40 AM (6 days ago) Jun 1
to wx-commi...@googlegroups.com

Vadim Zeitlin pushed to branch 3.2 at wxWidgets / wxWidgets

Commits:

  • e0faab1c
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Avoid harmless -Wunused-variable in unit tests

This warning used to be suppressed in Catch headers, but this is not the
case any longer, so work around it in the tests themselves now.

(cherry picked from commit 895dd8424c9e3cfbf451279c2617121e6b140b1c)
  • ce957f45
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Log image information earlier in the image unit test

Use INFO() before some checks that may already fail to at least show in
which test the failures occur.

(cherry picked from commit 612dfa447a521ea2dec5bdbf49843e245dd8de35)
  • 948c6252
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Relax checks for image equality in wxImage::ChangeColours

Allow difference of 1 as this is what we get when using -O2 with gcc 12.

(cherry picked from commit f77390551ff5bd390063885524cf90222734c766)
  • 03d55ccb
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Improve wxImage::ChangeColours test code

Use a helper function to both make it shorter and provide more
information in case of a check failure: now the output will include the
name of the file, comparing with which failed, allowing to immediately
see which test failed.

(cherry picked from commit 2ed4e6bee4ee7659405862f5ff311429c44338f5)
  • 273a100d
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Improve TIFF saving test code

Give more details in case of failure by using INFO() and use simple
CHECK()s instead of ugly WX_ASSERT_EQUAL_MESSAGE as they will show the
failing test anyhow.

No real changes.

(cherry picked from commit c9efe227630c45533a914f1d517446842394b39c)
  • 65a39741
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Remove CppUnit boilerplate in wxImage unit test

No real changes, just remove all the ugly compatibility macros.

(cherry picked from commit d56d773a557d1fd2e4e9484b1807f4d4df0a440a)
  • 5342ba2e
    by Brian Nixon at 2026-05-11T14:48:41+02:00 
    Correct loading of `BI_BITFIELDS` bitmaps

This fixes several minor bugs in the loading of `BI_BITFIELDS` bitmaps,
related to handling different header sizes and the colour and alpha
masks.

See #23601.

(cherry picked from commit d78e9fb1cb7718f9d62c9ad400a97dea23b179bd)
  • 33e6f770
    by Vadim Zeitlin at 2026-05-11T14:48:41+02:00 
    Add tests for reading truncated GIF image

This should have been part of 217ecf0096 (Fix crash when reading
truncated GIF image, 2023-07-02).

See #23409.
  • 235cb8bf
    by paulcor at 2026-05-11T14:48:41+02:00 
    Fix loading BMP files which use 32bpp but do not have valid alpha

Based on the behavior of WIN32 LoadFile(), and the gdk-pixbuf BMP loader
source code, the alpha values are ignored unless the compression method
is BI_BITFIELDS.

See #10915, #24219.

(cherry picked from commit b21642b72b4128f0b64ed7d79b4d320cbfc35497)
  • b0db3a9f
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Fix loading ICO files with alpha broken by parent commit

The rules are different than for BMP files. Broken by parent 3676d34f8e
(Fix loading BMP files which use 32bpp but do not have valid alpha,
2024-11-04) which was backported from master as is.

See #24219, #24955.

(cherry picked from commit b321af212d1923cef590675510c885762ece47c5)
  • 2807118e
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Fix loading ICO files with fully transparent alpha

Windows behavior is to ignore alpha in that case. Broken by grand parent
commit 3676d34f8e (Fix loading BMP files which use 32bpp but do not have
valid alpha, 2024-11-04) backported as is from master.

(cherry picked from commit dc83c4ca0eaa247950aaa9a9e114a21b46b6ae17)
  • 282d71e0
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Avoid memory overwrite on malformed BMP with invalid RLE data

(cherry picked from commit 443b64c11cc2b44a0fd713e90efa4300e279ea59)
  • f5b1ffe7
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Avoid negative shift count with valid BMP file

Detected by undefined behavior sanitizer, on a file with 16 bpp and a color
component of more than 8 bits. Fix by using a different, and more accurate,
method to scale color components to 8 bits.

(cherry picked from commit 05404fd3796075b10e352288481e4b40cf44ddca)
  • b30bb762
    by Brian Nixon at 2026-05-11T14:48:41+02:00 
    Correct delta-RLE bitmap background colour

Use black instead of the first palette colour for the implicit
background for RLE bitmaps for consistency with Windows itself.

See #23599.

(cherry picked from commit b473163da20c1f36caaf2e4db512bb8fb4d73a93)
  • 4adc0119
    by Brian Nixon at 2026-05-11T14:48:41+02:00 
    Restore old delta-RLE bitmap background setting

Revert the change introduced in parent commit c7378c6aa3 (Correct
delta-RLE bitmap background colour, 2023-06-02) cherry-picked from
master as is, and restore the setting of the background of delta-RLE
bitmaps to the first entry in the colour table. This retains earlier
wxWidgets behaviour and matches Windows `LoadImage()` with
`LR_CREATEDIBSECTION`.

See #23638, #23657.

(cherry picked from commit e1e2e982e30cfcc8d07e1ee4d4e5ce6964fc619d)
  • c83ef318
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Avoid assertion failure on BMP file with invalid or too-large size

(cherry picked from commit 5ff83b400c96a12adb2222adce1391c9bd7f6503)
  • 4b9915d9
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Reduce the scope of some local variables

And switch to unsigned types for things which are not signed.

(cherry picked from commit b8199fa9ceae805189ddd325c982e52cc8bd4757)
  • 1c677c7c
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Up-scale BMP color components using Windows-compatible method

This allows tests to compare against native behavior under Windows

(cherry picked from commit 45a7efd6425c2eb0dc6e7cab5d813b9847e165bf)
  • 99cd1bed
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Handle BMP alpha the same way Windows does

Windows ignores alpha unless the format is 8-bit ARGB, and alpha is not
all zeros.

(cherry picked from commit e7e352d5f4315116656e21a996c08864021ff80b)
  • fa5dca61
    by Paul Cornett at 2026-05-11T14:48:41+02:00 
    Fix BMP test under Wine

Apparently Wine does not handle BMP exactly like Windows

(cherry picked from commit 4d5fbf5afa276ebec0fed95c8feb5d6ec485622d)
  • 94462af4
    by MarkLee131 at 2026-05-11T14:48:41+02:00 
    Avoid out-of-bounds palette read in 8bpp BMP decoder

The non-RLE 8bpp branch at imagbmp.cpp:903, plus the RLE absolute and
RLE encoded branches a few lines above, all index cmap[aByte] without
checking aByte against the palette colour count. A BMP that pairs a
small palette with a colour-index byte >= ncolors reads past the
palette and the value flows into the decoded pixel.

Reject the file (return false) at each site, matching the surrounding
"return false on malformed input" pattern.

See #26438, #26439.

(cherry picked from commit b305cb4e4de77fb37807aa89e02643c4b0240d8f)
  • ca1c3f75
    by MarkLee131 at 2026-05-11T14:48:41+02:00 
    Avoid out-of-bounds line-buffer read in wxPCXHandler::LoadFile

The PCX header's width and bytesperline are independent fields,
never cross-validated. A header with width > bytesperline produces a
small per-line buffer p and then reads p[i] for i < width past the
buffer end (the 24-bit branch additionally reads p[i + 2 * bytesperline]).

Reject the file when width exceeds bytesperline, or when either is
non-positive.

See #26441, #26443.

(cherry picked from commit edae38f44a22bd7a37339bbfdadbb408db08c796)
  • 1a488980
    by MarkLee131 at 2026-05-11T14:48:41+02:00 
    Avoid out-of-bounds read in wxXPMDecoder::ReadFile on unterminated comment

When the inner loop scanning for the '*/' that closes a '/*' comment
exits because *q == '\0' (no closing marker before end-of-buffer),
the subsequent strlen(q + 2) reads past the allocated wxCharBuffer.

Bail out of the outer loop in that case.

See #26442, #26444.

(cherry picked from commit f4296791320ac13ba2ddf1e6db91ab3e8b7b0285)
  • e9c086f8
    by Vadim Zeitlin at 2026-05-11T15:06:01+02:00 
    Avoid another warning triggered by the last warning workaround

Initialize a variable to avoid -Wmaybe-uninitialized triggered by using
wxUnusedVar() with it now.

(cherry picked from commit f2cfcd3d2faaedfbae9b4ed7de866a15d24c4a3f)
  • 5c6413d4
    by Václav Slavík at 2026-05-15T17:20:08+02:00 
    wxGTK: Fix wxTextCtrl crash with GSpell attached

The logic in wxTextCtrl::DoFreeze() for deleting leaked anonymous marks
when detaching the buffer kept raw pointers to GtkTextMark objects
without managing their reference count.

This worked for the specific internal mark targeted by this code, but
broke with other marks that may have become invalid in the meantime.
Specifically, GSpell uses such marks internally too, causing a
use-after-free crash.

Fixed by ref-counting the objects kept in m_anonymousMarkList.

See #26464.

(cherry picked from commit 7a7ab636e36cd01540c038bef2430ffcfa048681)
  • 1eb48abb
    by Václav Slavík at 2026-05-15T17:20:19+02:00 
    Update Poedit links

Update links to Poedit in the docs, plus adjacent things things such as
the name or current path to xgettext.

See #26465.

(cherry picked from commit 63331c31f4f04ab2ce4d255fd4d1753d143ca83a)
  • 191768e3
    by Vadim Zeitlin at 2026-05-15T23:53:45+02:00 
    Fix computing wait end time in pthreads wxCondition implementation

The old code didn't work for the dates after 2038 due to the use of
GetLo() which discarded the high part of 64 bit time value.

Simply stop doing it to fix the bug both for wxCondition and for
wxSemaphore which uses it internally.

See #26466.

(cherry picked from commit 24e72ef30e87377c1ec7158f11f79b58dcbb3b61)
  • bfdfaa0b
    by Paul Cornett at 2026-05-19T04:46:06+02:00 
    Make GTK3 dashed line appearance similar to MSW

Scale the segment lengths to the pen width properly, and match the MSW lengths.
Apparently MSW doesn't have a long dash, so use twice the short dash for that.

See #26449.

(cherry picked from commit ec0149a9320549efd41e02c24a1b744b217d04f1)
  • 268d8d5b
    by Paul Cornett at 2026-05-19T04:47:23+02:00 
    Make GTK2 dashed line appearance similar to MSW

See #26449.

(cherry picked from commit c968631837d74af60a8c454d2253d8f0b550949c)
  • 3b2774a6
    by Paul Cornett at 2026-05-19T21:52:44+02:00 
    Fix non-resizable TLW size on GTK when client size is set to initial size

See #26480.

(cherry picked from commit af199c40f9511663f2ae6b1dff6bda296c356c5e)
  • fb9fc759
    by Stefan Csomor at 2026-05-20T14:56:55+02:00 
    OSX 10.10 compatibility for compositing operators

* Add defines for macOS < 10.12 in private header

See #26472, #26476.

(cherry picked from commit e15db260b28951bee492307961c7690d60fa443f)
  • 0022c8ef
    by Vadim Zeitlin at 2026-05-21T22:47:00+02:00 
    Avoid out-of-bounds palette write in wxIFFDecoder::ConvertToImage()

See #26440.

(cherry picked from commit d4188f68378ddb275257d765f9b6b765a893751e)
  • 38da54b4
    by Vadim Zeitlin at 2026-05-22T15:32:25+02:00 
    Add new test GIF image to CMake builds too

This should have been done in c2e5749443 (Fix crash when reading
truncated GIF image, 2023-07-02), but was forgotten there -- so do it
now, and add a comment reminding not to forget it the next time.

See #23409.

(cherry picked from commit aa77eb91b0111fdd3bce9d0b2833e43923e93705)
  • 60017126
    by dxbjavid at 2026-05-22T16:40:53+02:00 
    Reject BMP RLE absolute runs that overrun the current scanline

In src/common/imagbmp.cpp::LoadBMPData() the absolute-mode branches of
both the BI_RLE4 (around line 763) and BI_RLE8 (around line 870) decode
loops increment 'column' for each pixel without checking it against
'width'. The image buffer is sized width * height * 3 and 'poffset' is
computed as line * width * 3 + column * 3, so an absolute escape with
a count larger than (width - column) keeps writing through the rest of
the row and into adjacent rows or past the end of the buffer entirely
on the last decoded scanline.

The neighbouring encoded-mode branches at lines 798 and 896 already use
"&& column < width" to clamp runs to the row width, and the delta-mode
branch at lines 758 and 863 rejects out-of-range row offsets, so the
absolute branches are the only RLE paths left without bounds checking.

Reject the file with return false when the absolute run would extend
past the right edge of the current row, matching the existing
"return false on malformed input" pattern in the same function.

Add a regression test that loads a 4x4 8bpp RLE BMP with an absolute
escape claiming 100 pixels on the first row and expects the loader to
fail rather than write past the image buffer.

See #26496.

(cherry picked from commit d1d6605e93961e3afe5778c14f951956db55fe1e)
  • 597c0ab3
    by jmestwa-coder at 2026-05-22T16:46:45+02:00 
    Validate IFF BMHD fields to prevent pixel-buffer overflow

wxIFFDecoder::ReadIFF() in src/common/imagiff.cpp parses the BMHD
chunk without bounding the width, height or bitplane count. The
subsequent pixel buffer is allocated with

    m_image->p = new byte[bmhd_width * bmhd_height * 3];

using signed-int multiplication. With bmhd_width = 21849 and
bmhd_height = 65535 (both legal 16-bit BMHD values) the product
4,295,622,645 overflows int and wraps down to 655,349, so only
~640 KiB is actually allocated. The BODY decode loop then writes
3 * bmhd_width bytes per row, so a BODY chunk supplying just 10
lineskips of zeros (lineskip = 2732 for this width, total 27,320
bytes) is enough to overrun the allocation. A bmhd_bitplanes or
bmhd_width of zero also makes lineskip * bmhd_bitplanes zero and
causes a divide-by-zero in the height computation a few lines
later.

Reject malformed BMHD chunks at parse time: require positive
width, height and bitplane count, cap the bitplane count at 32
(the largest format the decoder handles is 24-bit ILBM), and cap
bmhd_width * bmhd_height so that the product multiplied by 3
stays within INT_MAX. This makes the existing int-typed buffer
size computation safe and keeps the patch local to the BMHD
parsing branch.

A unit test in tests/image/image.cpp builds the malformed IFF
described above in memory, registers the IFF handler and asserts
that LoadFile() rejects it; without the fix the test triggers a
heap-buffer-overflow during BODY decoding.

See #26497.

(cherry picked from commit d22a91e95268d2748fcf6656d70158f2c43ae234)
  • 61d185f1
    by Vadim Zeitlin at 2026-05-23T16:38:05+02:00 
    Fix static order initialization problem in wxCSConv

wxCSConv::wxCSConv() called during global variables initialization could
use the yet uninitialized global gs_nameCache.

Fix this in the usual way, by wrapping the global in a function to
ensure that it is always initialized before being used.

(cherry picked from commit d3fb6dcaddd15994cc21213d99aa350d4e259346)
  • 2d00db9e
    by dxbjavid at 2026-05-23T16:53:44+02:00 
    Reject GIF files with LZW minimum code size > 11

The minimum code size byte that follows the local colour table in
wxGIFDecoder::LoadGIF() is only checked for <= 0. dgif() sizes
ab_prefix/ab_tail with allocSize = 4096 + 1, so a value of 12
starts ab_free at 4098 and the first alphabet update at
gifdecod.cpp:457 writes one entry past the end of both arrays. The
existing wxASSERT(ab_free < allocSize) already flagged this in debug
builds. The new wxImage::BadGIFLZWMinCodeSize test feeds a 37-byte
2x1 GIF with code size 12 to LoadFile and asserts it is rejected.

See #26501.

(cherry picked from commit 71d58842ebc709c925ef8a28821a1656d6170181)
  • 4398e72c
    by Vadim Zeitlin at 2026-05-23T16:53:52+02:00 
    Fix memory leak when loading invalid GIF files

This was already attempted back in 56ba039411 (fixed memory leaks when
reading invalid GIFs, 2007-03-30) but the cleanup guard added there
didn't really fix anything as we need to free memory in GIFImage, not
wxGIFDecoder itself.

Really fix this now by calling the newly added GIFImage::Free() and not
wxGIFDecoder::Destroy(), which will be called by the dtor anyhow, on
error.

See #26501.

(cherry picked from commit 5bc58ae3d1a844dae30e77be3812d95c566c14f5)
  • d8dd2ac4
    by dxbjavid at 2026-05-23T16:56:08+02:00 
    Stop reading past wxCharBuffer end on unterminated XPM quote

The quote-stripping loop in wxXPMDecoder::ReadFile() sets p = q + 1
after strncpy(). If the closing " was missing, q stopped at the
buffer terminator, so p ended up one past it and the outer for-loop's
p++ then dereferenced two bytes off the end of the wxCharBuffer.
Mirror the already-existing /*-comment treatment and break out of the
loop when *q == '\0'.

See #26499.

(cherry picked from commit 49a4dbee56bca3737a26f91ae32b6a6d6cca6f8a)
  • f70412d1
    by dxbjavid at 2026-05-23T20:56:45+02:00 
    Reject TGA files with non-zero colour map origin

ReadTGA() in src/common/imagtga.cpp allocates the palette buffer as
paletteLength * palEntrySize bytes (palette indices 0..paletteLength-1)
but the loop that fills it writes each entry at index paletteStart + i.
The paletteStart and paletteLength values come straight from the TGA
header (bytes 3-7 of the colour map specification) and aren't bounded
against each other. For any file with paletteStart > 0, the calls to
Palette_SetRGB()/Palette_SetRGBA() write past the end of the buffer:
e.g. paletteStart=100, paletteLength=10, palettebpp=24 allocates 30
bytes but writes at offsets 100..129. The subsequent
image->SetPalette(wxPalette((int) paletteLength, &palette[0], ...))
also reads from index 0 onward, so the rest of the loader was already
implicitly assuming paletteStart == 0.

Add an explicit early-return wxTGA_INVFORMAT in the colour-mapped
branch when paletteStart is non-zero, which is the assumption the
existing code makes anyway.

See #26493.

(cherry picked from commit b2d7c29f299e295637c05c5d6438ddf6eba5528b)
  • cb63e1ca
    by dxbjavid at 2026-05-25T14:31:16+02:00 
    Stop reading past data end in truncated IFF BODY decode

Fix iff body truncation over-read in wxIFFDecoder::ReadIFF:
wxIFFDecoder::ReadIFF() sets chunkLen = dataend - dataptr on the
truncated BODY path, which is 8 too large because bodyptr lives 8 bytes
after dataptr. The non-RLE decode loop below then reads up to 8 bytes
past the end of databuf; clamp chunkLen to dataend - bodyptr instead.

See #26505.

(cherry picked from commit c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79)
  • 86ff8237
    by dxbjavid at 2026-05-25T14:35:42+02:00 
    Validate data chunk header room in wxSound::LoadWAV()

Don't read beyond the end of the buffer as could happen in case of a
44-byte WAV file with a 0-sized LIST chunk.

See #26506.

(cherry picked from commit 6069ea92b392948e61d1250fc24e192e8c39cea4)
  • 9093f4c7
    by dxbjavid at 2026-05-25T19:06:05+02:00 
    Reject too-short ZIP64 extra field in wxZipEntry::LoadExtraInfo()

wxZipEntry::LoadExtraInfo() calls wxZipHeader::Read64() up to three
times on a wxZipHeader of length min(fieldLen, 28). Read64() doesn't
bounds-check m_pos against m_size, so a short ZIP64 extra field returns
uninitialised bytes from the header's 64-byte stack-allocated m_data and
they end up in the entry's m_Size / m_CompressedSize / m_Offset. Reject the
entry when fieldLen is below the requested 64-bit total.

See #26507.

(cherry picked from commit b29393b32796e543db335bfebd5045af2744c0c5)
  • 30135386
    by Blake-Madden at 2026-05-25T19:06:05+02:00 
    Fix off-by-one buffer overflow in wxWebViewIE

wcscpy calling wasn't leaving space for the nul terminator

See #26508.

(cherry picked from commit 313fbb08b448b92000e8136bf5f278b968eda888)
  • fbec2606
    by Blake-Madden at 2026-05-25T19:06:05+02:00 
    Fix typo in UuidToCForm format string and use bounded wxSnprintf

See #26508.

(cherry picked from commit b6bfeaac4978f08057c12b099224a01907e702bf)
  • a76b6c8e
    by Blake-Madden at 2026-05-25T19:06:05+02:00 
    Get charset from CHARFORMAT in wxTextCtrl instead of hardcoding ANSI_CHARSET

See #26508.

(cherry picked from commit b1722286466ffdea9f0f9a5caeb79150f019d398)
  • c60dbd15
    by dxbjavid at 2026-05-26T23:53:51+02:00 
    Validate ANI frame indices against loaded icon count

The SEQ chunk of an ANI file gives a 32-bit image index per animation
step.  These values were stored into wxANIFrameInfo::m_imageIndex
verbatim, without any check against the number of icon chunks actually
loaded into m_images.  wxANIDecoder::ConvertToImage() and
GetTransparentColour() then used the value as an index into m_images
directly, so a malformed ANI file could trigger an out-of-bounds vector
access when the file is displayed.

Reject the file in Load() if any of the indices is negative or points
past the end of m_images, and also reject files that produced no icon
chunks at all so the subsequent m_images[0] reference is safe.

See #26492.

(cherry picked from commit a676a0f1f51f5c94036d64df3863664586937aa6)
  • d301e9ed
    by dxbjavid at 2026-05-26T23:53:51+02:00 
    Validate 4-bit BMP palette index against number of colors

Fix out-of-bounds read when decoding 4bpp BMP with invalid palette
indices.

See #26511.

(cherry picked from commit b47e2bb3527862397cafc7d200637db2ec0194f8)
  • d4125647
    by dxbjavid at 2026-05-27T15:59:00+02:00 
    Fix out-of-bounds table read in wxMBConvUTF7::ToWChar()

In wxMBConvUTF7::ToWChar() the value of the byte after '+' was cast to
"unsigned", which meant that on the platforms with signed bytes values
greater than 0x80 were sign-extended to a ~4GiB index which was (way)
out of bounds for a 256-entry table.

Fix the code by casting to "unsigned char", like the cc lookup just
above already does.

See #26517.

(cherry picked from commit f5c81bc5de564eb2b27414179b7902559dc6a115)
  • 1175aa02
    by ryancog at 2026-05-30T16:58:42+02:00 
    Fix wxURI::IsReference() description

The documentation described the inverse of the name of the
function and what it actually did, fix it to describe the actual
function behaviour.

See #26520.

(cherry picked from commit 41969e24dc95c54f900f1fe9c48ac0771ff29246)
  • 3bc57e47
    by dxbjavid at 2026-05-30T17:02:01+02:00 
    Fix one-byte over-read in IFF decomprle replicate packet

The replicate-run branch reads the packet's data byte after only
checking that one source byte remains, but it consumes two (the control
byte plus the data byte). A BODY ending in a lone replicate control byte
then reads one byte past the input buffer. Require two bytes left,
matching the literal-run check above.

See #26518.

(cherry picked from commit 83d55d0a9027e3798c5444554586b85cfba06015)
  • 92bbcac5
    by Vadim Zeitlin at 2026-05-31T17:00:37+02:00 
    Always define wxMsgCatalog dtor in the library

Objects of this class previously couldn't be used when using shared wx
libraries because their default, compiler-generated, dtor referenced
dtor of wxPluralFormsCalculatorPtr which was not exported from the
library.

Fix this by defining wxMsgCatalog dtor inside the library too.
  • 4864782d
    by dxbjavid at 2026-05-31T17:31:21+02:00 
    Fix buffer overflow when loading invalid message catalogs

Avoid integer overflow in message catalog StringAtOfs() bounds check:
StringAtOfs() read ofsString and nLen from the .mo file and checked
ofsString + nLen against the data length, but both are 32-bit so the
sum wraps and a translated entry declaring nLen 0xffffffff passes the
check; FillHash() then scans past the end of the catalog. Compute the
offset as a 64-bit value so the addition can't overflow and result in an
invalid index into the buffer.

Add a test feeding such a catalog through wxMsgCatalog::CreateFromData().

See #26513.

(cherry picked from commit 2647c0806ff1d1caac4056e6760b996d72a409b1)
  • f77f70b1
    by dxbjavid at 2026-05-31T17:31:21+02:00 
    Fix buffer overflow on invalid width in wxXPMDecoder

Fix integer overflow in wxXPMDecoder::ReadData() when computing
width*chars_per_pixel: a header with a (very) large width could result
in wrapping around and result in reasonable but yet invalid value, which
could let the key-reading loop run off the end of the buffer.

Compute the product in 64-bits to avoid the overflow.

See #26519.

(cherry picked from commit 46f928d057a478bf4202f4ee381d74d9a0d7543e)
  • 0d53937a
    by dxbjavid at 2026-05-31T17:31:21+02:00 
    Fix data-size bound check past LIST chunk in wxSound::LoadWAV()

The check compared ul against length minus the fixed offset FMT_INDEX +
uiSize + 16, which equals data_offset + 8 only when no LIST chunk is
present. When a LIST chunk is present data_offset has already been
advanced past it, so a crafted WAV can pass this check with ul larger
than the bytes that actually follow the data-chunk header, and the
OSS/SDL playback paths then read past m_dataWithHeader. Use data_offset
directly so the same constraint holds either way.

See #26525.

(cherry picked from commit 262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d)
  • 3c5d06ab
    by Vadim Zeitlin at 2026-05-31T17:31:21+02:00 
    Avoid buffer read overflow in wxCharTypeBuffer ctor

Don't assume that the data is always followed by NUL.

See #26527.

(cherry picked from commit cf50020259ebf5f73b00138599f3ad958ae156fe)
  • 15b402e6
    by Vadim Zeitlin at 2026-05-31T20:04:41+02:00 
    Make recently added wxXPMDecoder test case really pass

We need to use memmove() and not strncpy() in wxXPMDecoder code as
nothing guarantees that the source and destination regions don't overlap
and they did overlap, in fact, for the test case added as part of
46f928d057 (Fix buffer overflow on invalid width in wxXPMDecoder,
2026-05-27).

Also make the test itself more explicit by hard-coding the test XPM
instead of constructing it dynamically.

See #26519.

(cherry picked from commit ccff9fe0f3ef3cc812da9b56bd56b5bc3273ddec)
  • a1cac3c2
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Fix buffer overflow in deepCopyHostent() name copy

This function, which is called by wxGethostby{name,addr}_r() if native
implementations of these functions are not available, could overflow the
input buffer by a byte if the host name was equal to the buffer size.

Fix the check for length, which also makes it consistent with the check
in deepCopyServent() just below.

See #26528.

(cherry picked from commit 7348f005b7f768634d79233a268bf42d7bee5893)
  • 9c94b432
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Fix integer overflow in tar extended header bounds check

recSize in wxTarInputStream::ReadExtendedHeader() comes from the
record's decimal byte-count field, so a pax header declaring a length
close to SIZE_MAX makes recPos + recSize wrap below len and pass the
check. The following pRec[recSize - 1] then reads far past the buffer,
which ASAN flags as a heap-buffer-overflow.

Comparing recSize against len - recPos avoids the wrap.

See #26530.

(cherry picked from commit 4cf9de30097c43447bc8e71054ee3212a8f879e3)
  • a3b244bd
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Fix out-of-bounds read on trailing % in wxFileType::ExpandCommand()

A command ending in a bare '%' made the loop advance in this function
advance past the end of string.

Fix this by handling only non-trailing '%' specifically

See #26531.

(cherry picked from commit 18582927af8bb7e0f8283f7c4c854db7377d0272)
  • bb347b7d
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Validate decoded pixel indices in wxGIFDecoder::ConvertToImage()

Avoid reading uninitialized memory if any of the pixels in the input
data reference entries beyond the end of the palette.

See #26521.

(cherry picked from commit 86bc0762efcee173963d8002934d592141a0e1ae)
  • 741fdc72
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Avoid writing beyond the buffer end for GIFs with zero size

Reject GIF frames with zero width or height to avoid writing beyond the
(empty) buffer returned by malloc(0).

See #26524.

(cherry picked from commit 830ec3c439ee58f84bb4c214fabe37c5e7d4eaa1)
  • 87078e90
    by dxbjavid at 2026-05-31T20:04:41+02:00 
    Fix buffer overflow in wxVsnprintf() when size==0

Don't write NUL byte to "buf[size - 1]" when size is 0.

This bug was present in both implementations of wxVsnprintf(), so fix it
in both places too.

See #26522.

(cherry picked from commit a3ad8e33602aff06e57a7d3637df546cc07593b0)
  • 5093c113
    by dxbjavid at 2026-06-01T14:11:30+02:00 
    Fix out-of-bounds read on trailing backslash in wxRegEx::Replace()

wxRegExImpl::Replace() scans replacement.c_str() and does *++p after a
backslash. When the replacement ends in a lone backslash, that reads the
terminating NUL, the else branch appends it, and the loop's p++ then
steps one byte past the NUL so the *p condition reads out of bounds.

Keep a trailing backslash verbatim and stop before the increment.

Add a test checking that this doesn't result in ASAN errors any more.

See #26541.

(cherry picked from commit 9b0eb807cd03eb9ba517b8d5371c91d811a7682b)

59 changed files:

The diff was not included because it is too large.
Reply all
Reply to author
Forward
0 new messages