[wxWidgets/wxWidgets] b2d7c2: Reject TGA files with non-zero colour map origin
0 views
Skip to first unread message
VZ
May 25, 2026, 9:11:29 AMMay 25
to wx-co...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/wxWidgets/wxWidgets
Commit: b2d7c29f299e295637c05c5d6438ddf6eba5528b
https://github.com/wxWidgets/wxWidgets/commit/b2d7c29f299e295637c05c5d6438ddf6eba5528b
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/imagtga.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject TGA files with non-zero colour map origin
ReadTGA() in src/common/imagtga.cpp allocates the palette buffer as
paletteLength * palEntrySize bytes (palette indices 0..paletteLength-1)
but the loop that fills it writes each entry at index paletteStart + i.
The paletteStart and paletteLength values come straight from the TGA
header (bytes 3-7 of the colour map specification) and aren't bounded
against each other. For any file with paletteStart > 0, the calls to
Palette_SetRGB()/Palette_SetRGBA() write past the end of the buffer:
e.g. paletteStart=100, paletteLength=10, palettebpp=24 allocates 30
bytes but writes at offsets 100..129. The subsequent
image->SetPalette(wxPalette((int) paletteLength, &palette[0], ...))
also reads from index 0 onward, so the rest of the loader was already
implicitly assuming paletteStart == 0.
Add an explicit early-return wxTGA_INVFORMAT in the colour-mapped
branch when paletteStart is non-zero, which is the assumption the
existing code makes anyway.
Closes #26493.
Commit: 313fbb08b448b92000e8136bf5f278b968eda888
https://github.com/wxWidgets/wxWidgets/commit/313fbb08b448b92000e8136bf5f278b968eda888
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Fix off-by-one buffer overflow in wxWebViewIE
wcscpy calling wasn't leaving space for the nul terminator
Commit: b6bfeaac4978f08057c12b099224a01907e702bf
https://github.com/wxWidgets/wxWidgets/commit/b6bfeaac4978f08057c12b099224a01907e702bf
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/ole/uuid.cpp
Log Message:
-----------
Fix typo in UuidToCForm format string and use bounded wxSnprintf
Commit: 4b720bb216d34e0e5ee63d44a5de23e912f1ceeb
https://github.com/wxWidgets/wxWidgets/commit/4b720bb216d34e0e5ee63d44a5de23e912f1ceeb
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Replace wxStrcpy with wxStrlcpy
Commit: b1722286466ffdea9f0f9a5caeb79150f019d398
https://github.com/wxWidgets/wxWidgets/commit/b1722286466ffdea9f0f9a5caeb79150f019d398
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Get charset from CHARFORMAT in wxTextCtrl instead of hardcoding ANSI_CHARSET
Commit: 0b87887a991d2b90c9758dbd17edb73e58cfce73
https://github.com/wxWidgets/wxWidgets/commit/0b87887a991d2b90c9758dbd17edb73e58cfce73
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/darkmode.cpp
Log Message:
-----------
Fix buffer size in characters, not bytes, for GetMenuItemInfo in dark mode menu handler
This is now it's done in mdi.cpp
Commit: 23775dfda6f41b50a6c4444f0c54da09bafda5d0
https://github.com/wxWidgets/wxWidgets/commit/23775dfda6f41b50a6c4444f0c54da09bafda5d0
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Use wxStrlcpy instead of wcscpy
This is being overly cautious since cchResult is verified above, but doesn't hurt
Commit: c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79
https://github.com/wxWidgets/wxWidgets/commit/c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past data end in truncated IFF BODY decode
Fix iff body truncation over-read in wxIFFDecoder::ReadIFF:
wxIFFDecoder::ReadIFF() sets chunkLen = dataend - dataptr on the
truncated BODY path, which is 8 too large because bodyptr lives 8 bytes
after dataptr. The non-RLE decode loop below then reads up to 8 bytes
past the end of databuf; clamp chunkLen to dataend - bodyptr instead.
Closes #26505.
Commit: 6069ea92b392948e61d1250fc24e192e8c39cea4
https://github.com/wxWidgets/wxWidgets/commit/6069ea92b392948e61d1250fc24e192e8c39cea4
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/unix/sound.cpp
Log Message:
-----------
Validate data chunk header room in wxSound::LoadWAV()
Don't read beyond the end of the buffer as could happen in case of a
44-byte WAV file with a 0-sized LIST chunk.
Closes #26506.
Commit: b29393b32796e543db335bfebd5045af2744c0c5
https://github.com/wxWidgets/wxWidgets/commit/b29393b32796e543db335bfebd5045af2744c0c5
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/zipstrm.cpp
M tests/archive/ziptest.cpp
Log Message:
-----------
Reject too-short ZIP64 extra field in wxZipEntry::LoadExtraInfo()
wxZipEntry::LoadExtraInfo() calls wxZipHeader::Read64() up to three
times on a wxZipHeader of length min(fieldLen, 28). Read64() doesn't
bounds-check m_pos against m_size, so a short ZIP64 extra field returns
uninitialised bytes from the header's 64-byte stack-allocated m_data and
they end up in the entry's m_Size / m_CompressedSize / m_Offset. Reject the
entry when fieldLen is below the requested 64-bit total.
Closes #26507.
Commit: 64b3221caac731815ad5c1db05e4cc99f17ad0f6
https://github.com/wxWidgets/wxWidgets/commit/64b3221caac731815ad5c1db05e4cc99f17ad0f6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/darkmode.cpp
M src/msw/ole/uuid.cpp
M src/msw/textctrl.cpp
M src/msw/webview_ie.cpp
Log Message:
-----------
Merge branch 'Review' of github.com:Blake-Madden/wxWidgets
Miscellaneous fixes mostly related to buffer sizes in wxMSW code.
See #26508.
Compare: https://github.com/wxWidgets/wxWidgets/compare/294a364b487a...64b3221caac7
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: b2d7c29f299e295637c05c5d6438ddf6eba5528b
https://github.com/wxWidgets/wxWidgets/commit/b2d7c29f299e295637c05c5d6438ddf6eba5528b
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/imagtga.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject TGA files with non-zero colour map origin
ReadTGA() in src/common/imagtga.cpp allocates the palette buffer as
paletteLength * palEntrySize bytes (palette indices 0..paletteLength-1)
but the loop that fills it writes each entry at index paletteStart + i.
The paletteStart and paletteLength values come straight from the TGA
header (bytes 3-7 of the colour map specification) and aren't bounded
against each other. For any file with paletteStart > 0, the calls to
Palette_SetRGB()/Palette_SetRGBA() write past the end of the buffer:
e.g. paletteStart=100, paletteLength=10, palettebpp=24 allocates 30
bytes but writes at offsets 100..129. The subsequent
image->SetPalette(wxPalette((int) paletteLength, &palette[0], ...))
also reads from index 0 onward, so the rest of the loader was already
implicitly assuming paletteStart == 0.
Add an explicit early-return wxTGA_INVFORMAT in the colour-mapped
branch when paletteStart is non-zero, which is the assumption the
existing code makes anyway.
Closes #26493.
Commit: 313fbb08b448b92000e8136bf5f278b968eda888
https://github.com/wxWidgets/wxWidgets/commit/313fbb08b448b92000e8136bf5f278b968eda888
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Fix off-by-one buffer overflow in wxWebViewIE
wcscpy calling wasn't leaving space for the nul terminator
Commit: b6bfeaac4978f08057c12b099224a01907e702bf
https://github.com/wxWidgets/wxWidgets/commit/b6bfeaac4978f08057c12b099224a01907e702bf
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/ole/uuid.cpp
Log Message:
-----------
Fix typo in UuidToCForm format string and use bounded wxSnprintf
Commit: 4b720bb216d34e0e5ee63d44a5de23e912f1ceeb
https://github.com/wxWidgets/wxWidgets/commit/4b720bb216d34e0e5ee63d44a5de23e912f1ceeb
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Replace wxStrcpy with wxStrlcpy
Commit: b1722286466ffdea9f0f9a5caeb79150f019d398
https://github.com/wxWidgets/wxWidgets/commit/b1722286466ffdea9f0f9a5caeb79150f019d398
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Get charset from CHARFORMAT in wxTextCtrl instead of hardcoding ANSI_CHARSET
Commit: 0b87887a991d2b90c9758dbd17edb73e58cfce73
https://github.com/wxWidgets/wxWidgets/commit/0b87887a991d2b90c9758dbd17edb73e58cfce73
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/darkmode.cpp
Log Message:
-----------
Fix buffer size in characters, not bytes, for GetMenuItemInfo in dark mode menu handler
This is now it's done in mdi.cpp
Commit: 23775dfda6f41b50a6c4444f0c54da09bafda5d0
https://github.com/wxWidgets/wxWidgets/commit/23775dfda6f41b50a6c4444f0c54da09bafda5d0
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Use wxStrlcpy instead of wcscpy
This is being overly cautious since cchResult is verified above, but doesn't hurt
Commit: c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79
https://github.com/wxWidgets/wxWidgets/commit/c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past data end in truncated IFF BODY decode
Fix iff body truncation over-read in wxIFFDecoder::ReadIFF:
wxIFFDecoder::ReadIFF() sets chunkLen = dataend - dataptr on the
truncated BODY path, which is 8 too large because bodyptr lives 8 bytes
after dataptr. The non-RLE decode loop below then reads up to 8 bytes
past the end of databuf; clamp chunkLen to dataend - bodyptr instead.
Closes #26505.
Commit: 6069ea92b392948e61d1250fc24e192e8c39cea4
https://github.com/wxWidgets/wxWidgets/commit/6069ea92b392948e61d1250fc24e192e8c39cea4
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/unix/sound.cpp
Log Message:
-----------
Validate data chunk header room in wxSound::LoadWAV()
Don't read beyond the end of the buffer as could happen in case of a
44-byte WAV file with a 0-sized LIST chunk.
Closes #26506.
Commit: b29393b32796e543db335bfebd5045af2744c0c5
https://github.com/wxWidgets/wxWidgets/commit/b29393b32796e543db335bfebd5045af2744c0c5
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/zipstrm.cpp
M tests/archive/ziptest.cpp
Log Message:
-----------
Reject too-short ZIP64 extra field in wxZipEntry::LoadExtraInfo()
wxZipEntry::LoadExtraInfo() calls wxZipHeader::Read64() up to three
times on a wxZipHeader of length min(fieldLen, 28). Read64() doesn't
bounds-check m_pos against m_size, so a short ZIP64 extra field returns
uninitialised bytes from the header's 64-byte stack-allocated m_data and
they end up in the entry's m_Size / m_CompressedSize / m_Offset. Reject the
entry when fieldLen is below the requested 64-bit total.
Closes #26507.
Commit: 64b3221caac731815ad5c1db05e4cc99f17ad0f6
https://github.com/wxWidgets/wxWidgets/commit/64b3221caac731815ad5c1db05e4cc99f17ad0f6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/darkmode.cpp
M src/msw/ole/uuid.cpp
M src/msw/textctrl.cpp
M src/msw/webview_ie.cpp
Log Message:
-----------
Merge branch 'Review' of github.com:Blake-Madden/wxWidgets
Miscellaneous fixes mostly related to buffer sizes in wxMSW code.
See #26508.
Compare: https://github.com/wxWidgets/wxWidgets/compare/294a364b487a...64b3221caac7
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages