[Git][wxwidgets/wxwidgets][master] 2 commits: Avoid buffer read overflow in wxCharTypeBuffer ctor

1 view
Skip to first unread message

Vadim Zeitlin (@_VZ_)

unread,
May 30, 2026, 5:10:24 PM (8 days ago) May 30
to wx-commi...@googlegroups.com

Vadim Zeitlin pushed to branch master at wxWidgets / wxWidgets

Commits:

  • cf500202
    by Vadim Zeitlin at 2026-05-30T18:00:35+02:00 
    Avoid buffer read overflow in wxCharTypeBuffer ctor

Don't assume that the data is always followed by NUL.

Closes #26527.
  • ccff9fe0
    by Vadim Zeitlin at 2026-05-30T23:02:11+02:00 
    Make recently added wxXPMDecoder test case really pass

We need to use memmove() and not strncpy() in wxXPMDecoder code as
nothing guarantees that the source and destination regions don't overlap
and they did overlap, in fact, for the test case added as part of
46f928d057 (Fix buffer overflow on invalid width in wxXPMDecoder,
2026-05-27).

Also make the test itself more explicit by hard-coding the test XPM
instead of constructing it dynamically.

See #26519.

4 changed files:

Changes:

  • include/wx/buffer.h
    ... ... @@ -299,7 +299,13 @@ protected:
    299 299 
         {
    300 300 
             CharType *dst = (CharType*)malloc(sizeof(CharType) * (len + 1));
    301 301 
             if ( dst )
    302 
    -            memcpy(dst, src, sizeof(CharType) * (len + 1));
    302 
    +        {
    303 
    +            memcpy(dst, src, sizeof(CharType) * len);
    304 
    +
    305 
    +            // Make sure the buffer is NUL-terminated, even if the source
    306 
    +            // string isn't.
    307 
    +            dst[len] = (CharType)0;
    308 
    +        }
    303 309 
             return dst;
    304 310 
         }
    305 311

  • src/common/xpmdecod.cpp
    ... ... @@ -196,7 +196,7 @@ wxImage wxXPMDecoder::ReadFile(wxInputStream& stream)
    196 196 
             if (*q == '\0')
    197 197 
                 break;
    198 198
    199 
    -        strncpy(xpm_buffer + i, p + 1, q - p - 1);
    199 
    +        memmove(xpm_buffer + i, p + 1, q - p - 1);
    200 200 
             i += q - p - 1;
    201 201 
             xpm_buffer[i++] = '\n';
    202 202 
             p = q + 1;

  • tests/image/image.cpp
    ... ... @@ -1552,12 +1552,11 @@ TEST_CASE_METHOD(ImageHandlersInit, "wxImage::BadXPMWidthOverflow",
    1552 1552 
         // wraps to 59, so a one-pixel image line passes the length check and the
    1553 1553 
         // key-reading loop then runs off the end of the buffer. Loading such a
    1554 1554 
         // file must be rejected.
    1555 
    -    const std::string key(63, 'a');
    1556 
    -    const std::string xpm =
    1557 
    -        "/* XPM */\n"
    1558 
    -        "\"68174085 1 1 63\"\n"
    1559 
    -        "\"" + key + " c #ffffff\"\n"
    1560 
    -        "\"" + key + "\"\n";
    1555 
    +    const std::string xpm = R"("/* XPM */"
    1556 
    +"68174085 1 1 63"
    1557 
    +"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa c #ffffff"
    1558 
    +"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
    1559 
    +)";
    1561 1560 
         wxMemoryInputStream mis(xpm.data(), xpm.size());
    1562 1561 
         wxImage img;
    1563 1562 
         REQUIRE( !img.LoadFile(mis, wxBITMAP_TYPE_XPM) );

  • tests/strings/strings.cpp
    ... ... @@ -1233,6 +1233,9 @@ TEST_CASE("StringScopedBuffers", "[wxString]")
    1233 1233 
         wxCharBuffer buf5(5);
    1234 1234 
         buf5.extend(len);
    1235 1235 
         CHECK( buf5.data()[len] == '\0' );
    1236 
    +
    1237 
    +    const char buf8[8] = { };
    1238 
    +    CHECK( wxCharTypeBuffer<char>(buf8, sizeof(buf8)).length() == 8 );
    1236 1239 
     }
    1237 1240
    1238 1241 
     TEST_CASE("StringSupplementaryUniChar", "[wxString]")

Reply all
Reply to author
Forward
0 new messages