[wxWidgets/wxWidgets] 7348f0: Fix buffer overflow in deepCopyHostent() name copy
0 views
Skip to first unread message
Javid Khan
May 30, 2026, 7:06:46 PM (11 days ago) May 30
to wx-co...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/wxWidgets/wxWidgets
Commit: 7348f005b7f768634d79233a268bf42d7bee5893
https://github.com/wxWidgets/wxWidgets/commit/7348f005b7f768634d79233a268bf42d7bee5893
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/sckaddr.cpp
Log Message:
-----------
Fix buffer overflow in deepCopyHostent() name copy
This function, which is called by wxGethostby{name,addr}_r() if native
implementations of these functions are not available, could overflow the
input buffer by a byte if the host name was equal to the buffer size.
Fix the check for length, which also makes it consistent with the check
in deepCopyServent() just below.
Closes #26528.
Commit: 4cf9de30097c43447bc8e71054ee3212a8f879e3
https://github.com/wxWidgets/wxWidgets/commit/4cf9de30097c43447bc8e71054ee3212a8f879e3
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/tarstrm.cpp
M tests/archive/tartest.cpp
Log Message:
-----------
Fix integer overflow in tar extended header bounds check
recSize in wxTarInputStream::ReadExtendedHeader() comes from the
record's decimal byte-count field, so a pax header declaring a length
close to SIZE_MAX makes recPos + recSize wrap below len and pass the
check. The following pRec[recSize - 1] then reads far past the buffer,
which ASAN flags as a heap-buffer-overflow.
Comparing recSize against len - recPos avoids the wrap.
Closes #26530.
Commit: 18582927af8bb7e0f8283f7c4c854db7377d0272
https://github.com/wxWidgets/wxWidgets/commit/18582927af8bb7e0f8283f7c4c854db7377d0272
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/mimecmn.cpp
M tests/misc/misctests.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing % in wxFileType::ExpandCommand()
A command ending in a bare '%' made the loop advance in this function
advance past the end of string.
Fix this by handling only non-trailing '%' specifically
Closes #26531.
Compare: https://github.com/wxWidgets/wxWidgets/compare/ccff9fe0f3ef...18582927af8b
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: 7348f005b7f768634d79233a268bf42d7bee5893
https://github.com/wxWidgets/wxWidgets/commit/7348f005b7f768634d79233a268bf42d7bee5893
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/sckaddr.cpp
Log Message:
-----------
Fix buffer overflow in deepCopyHostent() name copy
This function, which is called by wxGethostby{name,addr}_r() if native
implementations of these functions are not available, could overflow the
input buffer by a byte if the host name was equal to the buffer size.
Fix the check for length, which also makes it consistent with the check
in deepCopyServent() just below.
Closes #26528.
Commit: 4cf9de30097c43447bc8e71054ee3212a8f879e3
https://github.com/wxWidgets/wxWidgets/commit/4cf9de30097c43447bc8e71054ee3212a8f879e3
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/tarstrm.cpp
M tests/archive/tartest.cpp
Log Message:
-----------
Fix integer overflow in tar extended header bounds check
recSize in wxTarInputStream::ReadExtendedHeader() comes from the
record's decimal byte-count field, so a pax header declaring a length
close to SIZE_MAX makes recPos + recSize wrap below len and pass the
check. The following pRec[recSize - 1] then reads far past the buffer,
which ASAN flags as a heap-buffer-overflow.
Comparing recSize against len - recPos avoids the wrap.
Closes #26530.
Commit: 18582927af8bb7e0f8283f7c4c854db7377d0272
https://github.com/wxWidgets/wxWidgets/commit/18582927af8bb7e0f8283f7c4c854db7377d0272
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/mimecmn.cpp
M tests/misc/misctests.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing % in wxFileType::ExpandCommand()
A command ending in a bare '%' made the loop advance in this function
advance past the end of string.
Fix this by handling only non-trailing '%' specifically
Closes #26531.
Compare: https://github.com/wxWidgets/wxWidgets/compare/ccff9fe0f3ef...18582927af8b
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages