[Git][wxwidgets/wxwidgets][3.2] 26 commits: Fix out-of-bounds read on truncated UTF-8 in wxUString

2 views
Skip to first unread message

Vadim Zeitlin (@_VZ_)

unread,
Jul 2, 2026, 6:19:31 PM (3 days ago) Jul 2
to wx-commi...@googlegroups.com

Vadim Zeitlin pushed to branch 3.2 at wxWidgets / wxWidgets

Commits:

  • 4069a67f
    by dxbjavid at 2026-06-01T23:46:53+02:00
    Fix out-of-bounds read on truncated UTF-8 in wxUString
    
    The length-counting pass in assignFromUTF8() advances p by the lead
    byte's UTF-8 sequence length without checking those bytes are really
    there. A string ending in a truncated multibyte sequence (e.g. a lone
    0xC3 before the NUL) skips p past the terminating NUL, so the while(*p)
    test then reads past the end of the buffer.
    
    The assignFromUTF8(str, n) overload below already guards this via
    utf8_pos + len > n; this just adds the equivalent check for the
    terminated form.
    
    Closes #26548.
    
    (cherry picked from commit 76991d2d13c6214f390331a1e2bee88f0658cfe8)
    
  • d256b9f1
    by dxbjavid at 2026-06-02T14:56:25+02:00
    Fix rowspan/colspan integer overflow in wxHtmlTableCell::AddCell()
    
    AddCell() reads COLSPAN and ROWSPAN from the markup into ints with no
    upper bound, then uses r + rowspan and c + colspan to grow the cell
    table and to index ypos[] in Layout(). A value near INT_MAX, e.g. in the
    second row, overflows the addition so the r + rowspan > m_NumRows growth
    check is bypassed and Layout() writes past the end of ypos[].
    
    Clamp colspan and rowspan to the limits from the HTML spec (1000 and
    65534).
    
    See #26554.
    
    (cherry picked from commit 4309276ceff156cba65dc537c643995ed11d9697)
    
  • b65c4525
    by Scott Talbert at 2026-06-04T20:53:26+02:00
    Update GitHub Actions to be Node v24 compatible
    
    Node v20 has gone EOL and will be removed from GitHub Actions soon.
    This migrates all the GitHub Actions to use versions that are Node 24
    compatible.
    
    The only change of real substance is moving to the step-security fork of
    gha-setup-vsdevenv which seems probably better than wx maintaining its
    own fork.
    
    Also update a few other actions version in 3.2 branch to use the same
    versions as in master.
    
    (cherry picked from commit 39c73b42f5882fc0eef568eda077ee20385c7bbd)
    
  • 5f5813c4
    by dxbjavid at 2026-06-04T23:12:18+02:00
    Fix out-of-bounds read on trailing % in wxDateTime::Format()
    
    Omit the unit test added in master due to the changes in it between
    master and this branch.
    
    See #26543.
    
    (cherry picked from commit 53901b80d243b2b75e245768c0e4d66e0f030ae0)
    
  • bc9a7221
    by dxbjavid at 2026-06-04T23:15:28+02:00
    Fix off-by-one in hostent/servent pointer list terminator
    
    The h_addr_list/h_aliases/s_aliases copy loops in deepCopyHostent() and
    deepCopyServent() reserve N pointer slots for N entries and then write
    the terminator with *++q, one slot too far, so the array isn't
    terminated right after the last entry and that slot holds copied
    address/alias bytes used as a pointer.
    
    Reserve a slot for the terminator and write it with *q.
    
    See #26553.
    
    (cherry picked from commit 48561fc632f7f12e0916a4651faa319f49baa0be)
    
  • bb8d1de4
    by dxbjavid at 2026-06-22T16:22:14+02:00
    Validate background colour index in wxGIFDecoder::LoadGIF()
    
    Don't set background colour to uninitialized memory contents, just
    ignore the invalid index.
    
    See #26582.
    
    (cherry picked from commit 7ee01fa850fd674d46aa2a4e136a6dec5375c685)
    
  • 64576a0e
    by dxbjavid at 2026-06-22T16:43:36+02:00
    Avoid uninitialised palette read in wxXPMDecoder::ReadData()
    
    This function allocates the palette r/g/b arrays from the colour count
    given in the XPM header but fills them by walking the colour map, so a
    malformed file that reuses the same key on more than one colour line
    collapses those lines into a single map entry and leaves the tail of the
    arrays uninitialised. wxPalette() then copies that uninitialised memory
    into the palette later returned by GetPalette(), and in debug builds the
    wxASSERT(i == colors_cnt) at the end fires.
    
    Use the actual number of distinct colours in the map as the size for
    the arrays and the palette to fix this.
    
    Also add a test loading an XPM triggering this issue.
    
    See #26595.
    
    (cherry picked from commit 788b4581122ffda0ee5b7c51132d115e62aafd99)
    
  • ea419d1a
    by Paul Cornett at 2026-06-22T16:43:36+02:00
    Fix drawing of very large bitmaps with GTK3
    
    Creating a Cairo "similar image" surface seems to use a lot of memory for very large
    images, resulting in what is probably an out-of-memory condition. Using a plain
    image surface allows sizes up to the Cairo limit of 32767x32767 to be handled.
    See #25656
    
    (cherry picked from commit ecb37e81afcf47a3254f367c8fdafdd216b5ec82)
    
  • 03e45c46
    by Vadim Zeitlin at 2026-06-22T16:43:36+02:00
    Update version to 3.2.11
    
    Run ./misc/scripts/inc_release, bakefile and autoconf.
    
  • 17b5315c
    by Jorge Moraleda at 2026-06-22T16:43:36+02:00
    Add wxGrid::GetFrozenRowLabelWindow() and GetFrozenColLabelWindow()
    
    These accessors for the frozen row and column label sub-windows were
    missing from the public API even though the equivalent data cell windows
    (GetFrozenRowGridWindow/GetFrozenColGridWindow) are already public.
    Without them it is impossible to bind events (e.g. EVT_MOTION) to the
    frozen label strips from outside the wxGrid implementation.
    
    See #26617.
    
    (cherry picked from commit e069b7f4b9737b634bd727fe124854bdc3085514)
    
    Co-authored-by: Vadim Zeitlin <va...@wxwidgets.org>
    
  • e496bf41
    by Vadim Zeitlin at 2026-06-23T22:55:06+02:00
    Use wxVector<> instead of vector<> in wxSocket code
    
    Amend the changes of 644b99da6c (Make wxSocket::Peek() work with UDP
    too, 2023-06-03), see #23594, #23604.
    
  • 4d219f49
    by Javid Khan at 2026-07-01T01:23:54+02:00
    Avoid buffer overflow when parsing AFM files
    
    Limit sscanf field widths to avoid overflowing fixed size buffers in
    wxPostScriptDC code.
    
    See #26645.
    
    (cherry picked from commit b0e297a0caab1d3b01dfa76f420529aa18c4a00d)
    
  • 2c980e2f
    by Lunar-YZ at 2026-07-01T16:35:52+02:00
    Fix wxPG macros when wxNO_IMPLICIT_WXSTRING_ENCODING is defined
    
    Use wide-char literal string instead of an ASCII one to fix compilation.
    
    See #26651.
    
    (cherry picked from commit aae2d7062c427b449c61e3d343be7c7aba45bfd6)
    
  • a6eb870f
    by Maarten Bent at 2026-07-01T20:40:25+02:00
    CMake: Always install common headers
    
    backport of d3cdfc8882d379e8e40e33a6be6ee82c341e5cfa
    
  • 18d62302
    by Maarten Bent at 2026-07-01T20:40:26+02:00
    CMake: Install with relative symlinks
    
    backport of 24571ab89db0fda94a77fc56398b146af58f36c0
    
  • 558f956c
    by Maarten Bent at 2026-07-01T20:40:34+02:00
    CMake: Add wxbase_only target
    
    backport of 62403ce1e04b4efa50dfb7a4c749a54fc23d09d9
    
    Import install properties of static libraries
    backport of b17a03da7f8ada0433dac4bb80d867b1b1a7b4ce
    
  • 55180fdc
    by Maarten Bent at 2026-07-01T20:40:35+02:00
    CMake: Declare more build option dependencies
    
    backport of a967bead1a11321bab0e91ce126efc1e3eeec159
    
    Get rid of macro to link sample libraries
    backport of 54bbd316def346c2b3f61ad0eb4310ed8bbd834c
    
    Enable MFC sample when MFC is available
    backport of f2ff34b6fb55ef7874577abb6cf3b73eec458557
    
    Fix building wxBase under Android
    backport of c52190e3d14a5b12c0672aa66ef0e8f02da5703d
    
  • 2c1b8492
    by Maarten Bent at 2026-07-01T20:57:30+02:00
    CMake: Miscellaneous backports
    
    Automatically update outdated WebView2 package
    backport of 210d1db7a74974504d7617fff0d728b1820deceb
    
    Don't use /MP option when not using MSVS CMake generator
    backport of 8ef84ab4fd706a9428b3285ab003883906697ff6
    
    Set the wx-config RESCOMP value
    backport of 48092f29cbdc30397a00fafeaf6dbba94c85a06a
    
    Allow to override wx_option_auto
    backport of 764d775076f8c2b05c5b3d8cb64cae863ffd2368
    
    Don't install release PDBs when stripped releases is enabled
    backport of 8c1ede66075ccfca8edfcfe87950e89ebc4c64d5
    
    Slightly simplify and make more robust CMake version parsing
    backport of 8933626b22e714f43c01c75b40dd6e582d3f3c38
    
    Build wxxml in non-GUI builds too
    backport of 8af1ec05eaad028e56d4fb4798240a5a0f132a94
    
    change wxUSE_CONFIG_NATIVE setting logic in
    backport of 9377ec794e1610318fc39919723c225f4ed4b04d
    
    Add detection of SM library to CMake
    backport of f275d6f43578772f6596cf3b41cf8a2a4df08aef
    
    Re-enable wxUSE_DETECT_SM by default in CMake builds
    backport of cfb3856045fad30b6f30d3a5bfac355e8336d647
    
    Improve checks for GTK3 on macOS
    backport of 92820ce8a9583ff3c0ccb39100539c13b6575489
    
    Only enable wxUSE_HOTKEY on wxMSW and wxOSX
    backport of 32ca3660831c72f042d5cd86e18f2d0eb85670fb
    
    Disable wxUSE_FSVOLUME in the ports not supporting it
    backport of 6e8eac94ab9a4a9b15507b8aaa253efe661f77cd
    
    Backport RES_BUNDLE option
    
  • 5d9cba75
    by Maarten Bent at 2026-07-01T20:57:31+02:00
    CMake: Generate appropriate expat_config.h for Expat
    
    backport of 57edf800b26b43187ba2996ecd10d44e3cce94b5
    
    Skip some CMake checks that always fail under Windows
    partial backport of 94f53184f267aecbc48569bf8e66ef5c4ed1de96
    
  • b787dd0e
    by Maarten Bent at 2026-07-01T23:20:22+02:00
    CMake: Restructure wx_add_builtin_library
    
    Partial backport of cd201ad5f35014317f229a50440ab2ebc3e38c5d
    and 3d389bbbbfc592aa221f6cd3c4f11850626a6fa0
    
  • 06e93f6d
    by Maarten Bent at 2026-07-02T01:55:51+02:00
    CMake: Refactor applying toolkit properties
    
    backport of 7f293e41943a6e13e11c513aa4d8e40f702f7318
    
  • e3d18416
    by Vadim Zeitlin at 2026-07-02T23:53:12+02:00
    Merge branch 'backport-cmake-2026-06' of github.com:MaartenBent/wxWidgets into 3.2
    
    Backport some/most CMake improvements from master.
    
    See #26653.
    
  • 7d58b94b
    by Vadim Zeitlin at 2026-07-02T23:58:22+02:00
    Use "vc145" versioned suffix for MSVS 2026 compiler
    
    Use a distinct value for MSVS 2026 with wxMSVC_VERSION_AUTO.
    
    Note that vc144 should have been used for MSVS 2022 v17.14, see
    
    https://learn.microsoft.com/en-us/cpp/overview/compiler-versions
    
    but we didn't do it, so there is a hole between vc143 and vc145.
    
    (cherry picked from commit a0f5c92b964638b18c7be7bf48e3af0c03d11c79)
    
  • 5cb32ced
    by iht at 2026-07-03T00:00:58+02:00
    Update wxwidgets.props and common.bkl for VS 2026
    
    This is in line with the changes in a0f5c92b964638b18c7be7bf48e3af0c03d11c79 and 3d88038d0175b50781cf250b0c21165cbfd9cb22
    
    (cherry picked from commit f5cb9a66c0f4b6929379a10de02ecab454ddaf00)
    
  • dbb6df69
    by Vadim Zeitlin at 2026-07-03T00:02:09+02:00
    Rebake makefiles for 3.2.11
    
    Change WX_VERSION in all Makefile.in files.
    
  • d1024231
    by iht at 2026-07-03T00:02:44+02:00
    Update comment for wxToolsetVersion
    
    (cherry picked from commit 9006641fb1988217fb1d4d1bb30362d269b2dfdf)
    

280 changed files:

The diff was not included because it is too large.
Reply all
Reply to author
Forward
0 new messages