[wxWidgets/wxWidgets] e0faab: Avoid harmless -Wunused-variable in unit tests
0 views
Skip to first unread message
Javid Khan
Jun 1, 2026, 8:12:56 AM (10 days ago) Jun 1
to wx-co...@googlegroups.com
Branch: refs/heads/3.2
Home: https://github.com/wxWidgets/wxWidgets
Commit: e0faab1ca3586ae02d44174abd3a056b9ec1a39b
https://github.com/wxWidgets/wxWidgets/commit/e0faab1ca3586ae02d44174abd3a056b9ec1a39b
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
M tests/intl/intltest.cpp
M tests/strings/vararg.cpp
Log Message:
-----------
Avoid harmless -Wunused-variable in unit tests
This warning used to be suppressed in Catch headers, but this is not the
case any longer, so work around it in the tests themselves now.
(cherry picked from commit 895dd8424c9e3cfbf451279c2617121e6b140b1c)
Commit: ce957f451fb5c80ec8ab8905000649a5fa4a50e9
https://github.com/wxWidgets/wxWidgets/commit/ce957f451fb5c80ec8ab8905000649a5fa4a50e9
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Log image information earlier in the image unit test
Use INFO() before some checks that may already fail to at least show in
which test the failures occur.
(cherry picked from commit 612dfa447a521ea2dec5bdbf49843e245dd8de35)
Commit: 948c62526f58d90d423432f40f9189e15838792d
https://github.com/wxWidgets/wxWidgets/commit/948c62526f58d90d423432f40f9189e15838792d
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Relax checks for image equality in wxImage::ChangeColours
Allow difference of 1 as this is what we get when using -O2 with gcc 12.
(cherry picked from commit f77390551ff5bd390063885524cf90222734c766)
Commit: 03d55ccba5cbbcf863d9b2680a117c9c4b37df34
https://github.com/wxWidgets/wxWidgets/commit/03d55ccba5cbbcf863d9b2680a117c9c4b37df34
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Improve wxImage::ChangeColours test code
Use a helper function to both make it shorter and provide more
information in case of a check failure: now the output will include the
name of the file, comparing with which failed, allowing to immediately
see which test failed.
(cherry picked from commit 2ed4e6bee4ee7659405862f5ff311429c44338f5)
Commit: 273a100dc258638b8a71494350149f5a4c7888c6
https://github.com/wxWidgets/wxWidgets/commit/273a100dc258638b8a71494350149f5a4c7888c6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Improve TIFF saving test code
Give more details in case of failure by using INFO() and use simple
CHECK()s instead of ugly WX_ASSERT_EQUAL_MESSAGE as they will show the
failing test anyhow.
No real changes.
(cherry picked from commit c9efe227630c45533a914f1d517446842394b39c)
Commit: 65a3974170123a3f0b5ff6e9a0ed7731c34bbd53
https://github.com/wxWidgets/wxWidgets/commit/65a3974170123a3f0b5ff6e9a0ed7731c34bbd53
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Remove CppUnit boilerplate in wxImage unit test
No real changes, just remove all the ugly compatibility macros.
(cherry picked from commit d56d773a557d1fd2e4e9484b1807f4d4df0a440a)
Commit: 5342ba2e4b20c6d9c5c169ef7dd2eeb3b3f71109
https://github.com/wxWidgets/wxWidgets/commit/5342ba2e4b20c6d9c5c169ef7dd2eeb3b3f71109
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M src/msw/dib.cpp
M tests/Makefile.in
A tests/image/bitfields-alpha.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Correct loading of `BI_BITFIELDS` bitmaps
This fixes several minor bugs in the loading of `BI_BITFIELDS` bitmaps,
related to handling different header sizes and the colour and alpha
masks.
See #23601.
(cherry picked from commit d78e9fb1cb7718f9d62c9ad400a97dea23b179bd)
Commit: 33e6f770ab582b66916e6d0ad5231a6682c3fbbc
https://github.com/wxWidgets/wxWidgets/commit/33e6f770ab582b66916e6d0ad5231a6682c3fbbc
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/Makefile.in
A tests/image/bad_truncated.gif
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Add tests for reading truncated GIF image
This should have been part of 217ecf0096 (Fix crash when reading
truncated GIF image, 2023-07-02).
See #23409.
Commit: 235cb8bf3dd3609953519f4b132b8b513fc85bd2
https://github.com/wxWidgets/wxWidgets/commit/235cb8bf3dd3609953519f4b132b8b513fc85bd2
Author: paulcor <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/32bpp_rgb.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Fix loading BMP files which use 32bpp but do not have valid alpha
Based on the behavior of WIN32 LoadFile(), and the gdk-pixbuf BMP loader
source code, the alpha values are ignored unless the compression method
is BI_BITFIELDS.
See #10915, #24219.
(cherry picked from commit b21642b72b4128f0b64ed7d79b4d320cbfc35497)
Commit: b0db3a9fdb7d46580860549423c4c1b42166c87d
https://github.com/wxWidgets/wxWidgets/commit/b0db3a9fdb7d46580860549423c4c1b42166c87d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/32bpp_rgb.bmp
A tests/image/32bpp_rgb.ico
M tests/image/image.cpp
Log Message:
-----------
Fix loading ICO files with alpha broken by parent commit
The rules are different than for BMP files. Broken by parent 3676d34f8e
(Fix loading BMP files which use 32bpp but do not have valid alpha,
2024-11-04) which was backported from master as is.
See #24219, #24955.
(cherry picked from commit b321af212d1923cef590675510c885762ece47c5)
Commit: 2807118e02c3f8cd5968e4d07d8174f1b6b209a1
https://github.com/wxWidgets/wxWidgets/commit/2807118e02c3f8cd5968e4d07d8174f1b6b209a1
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/32bpp_rgb_a0.ico
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Fix loading ICO files with fully transparent alpha
Windows behavior is to ignore alpha in that case. Broken by grand parent
commit 3676d34f8e (Fix loading BMP files which use 32bpp but do not have
valid alpha, 2024-11-04) backported as is from master.
(cherry picked from commit dc83c4ca0eaa247950aaa9a9e114a21b46b6ae17)
Commit: 282d71e0dab88143423652d1ee02ecd07e16018d
https://github.com/wxWidgets/wxWidgets/commit/282d71e0dab88143423652d1ee02ecd07e16018d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/badrle4.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Avoid memory overwrite on malformed BMP with invalid RLE data
(cherry picked from commit 443b64c11cc2b44a0fd713e90efa4300e279ea59)
Commit: f5b1ffe755f5d15756827d53df9c4900e0abe1de
https://github.com/wxWidgets/wxWidgets/commit/f5b1ffe755f5d15756827d53df9c4900e0abe1de
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb16-3103.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Avoid negative shift count with valid BMP file
Detected by undefined behavior sanitizer, on a file with 16 bpp and a color
component of more than 8 bits. Fix by using a different, and more accurate,
method to scale color components to 8 bits.
(cherry picked from commit 05404fd3796075b10e352288481e4b40cf44ddca)
Commit: b30bb76293b6d06361c3f5eb00677033d26bd5d4
https://github.com/wxWidgets/wxWidgets/commit/b30bb76293b6d06361c3f5eb00677033d26bd5d4
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
M tests/image/rle8-delta-320x240-expected.bmp
Log Message:
-----------
Correct delta-RLE bitmap background colour
Use black instead of the first palette colour for the implicit
background for RLE bitmaps for consistency with Windows itself.
See #23599.
(cherry picked from commit b473163da20c1f36caaf2e4db512bb8fb4d73a93)
Commit: 4adc01192be9ba095a51c6a01654195ea6a55244
https://github.com/wxWidgets/wxWidgets/commit/4adc01192be9ba095a51c6a01654195ea6a55244
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
M tests/image/rle8-delta-320x240-expected.bmp
Log Message:
-----------
Restore old delta-RLE bitmap background setting
Revert the change introduced in parent commit c7378c6aa3 (Correct
delta-RLE bitmap background colour, 2023-06-02) cherry-picked from
master as is, and restore the setting of the background of delta-RLE
bitmaps to the first entry in the colour table. This retains earlier
wxWidgets behaviour and matches Windows `LoadImage()` with
`LR_CREATEDIBSECTION`.
See #23638, #23657.
(cherry picked from commit e1e2e982e30cfcc8d07e1ee4d4e5ce6964fc619d)
Commit: c83ef3189b89854c369f0e3dd533a0a30293daf6
https://github.com/wxWidgets/wxWidgets/commit/c83ef3189b89854c369f0e3dd533a0a30293daf6
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid assertion failure on BMP file with invalid or too-large size
(cherry picked from commit 5ff83b400c96a12adb2222adce1391c9bd7f6503)
Commit: 4b9915d9462c77c3696448d433feacc5b3e77463
https://github.com/wxWidgets/wxWidgets/commit/4b9915d9462c77c3696448d433feacc5b3e77463
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
Log Message:
-----------
Reduce the scope of some local variables
And switch to unsigned types for things which are not signed.
(cherry picked from commit b8199fa9ceae805189ddd325c982e52cc8bd4757)
Commit: 1c677c7c5872afb4883b0f40e00bb698ca5e773e
https://github.com/wxWidgets/wxWidgets/commit/1c677c7c5872afb4883b0f40e00bb698ca5e773e
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb32-7187.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Up-scale BMP color components using Windows-compatible method
This allows tests to compare against native behavior under Windows
(cherry picked from commit 45a7efd6425c2eb0dc6e7cab5d813b9847e165bf)
Commit: 99cd1bed5f0f48d4cd386433297988791fa85b2d
https://github.com/wxWidgets/wxWidgets/commit/99cd1bed5f0f48d4cd386433297988791fa85b2d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb32bf.bmp
A tests/image/rgba32.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Handle BMP alpha the same way Windows does
Windows ignores alpha unless the format is 8-bit ARGB, and alpha is not
all zeros.
(cherry picked from commit e7e352d5f4315116656e21a996c08864021ff80b)
Commit: fa5dca61d663f1b85316ce1080586c3b5bac1936
https://github.com/wxWidgets/wxWidgets/commit/fa5dca61d663f1b85316ce1080586c3b5bac1936
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Fix BMP test under Wine
Apparently Wine does not handle BMP exactly like Windows
(cherry picked from commit 4d5fbf5afa276ebec0fed95c8feb5d6ec485622d)
Commit: 94462af4093c4692ddc7b8653a8c2cbb880e9113
https://github.com/wxWidgets/wxWidgets/commit/94462af4093c4692ddc7b8653a8c2cbb880e9113
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds palette read in 8bpp BMP decoder
The non-RLE 8bpp branch at imagbmp.cpp:903, plus the RLE absolute and
RLE encoded branches a few lines above, all index cmap[aByte] without
checking aByte against the palette colour count. A BMP that pairs a
small palette with a colour-index byte >= ncolors reads past the
palette and the value flows into the decoded pixel.
Reject the file (return false) at each site, matching the surrounding
"return false on malformed input" pattern.
See #26438, #26439.
(cherry picked from commit b305cb4e4de77fb37807aa89e02643c4b0240d8f)
Commit: ca1c3f756714b6004f1cd10f911098b30de48361
https://github.com/wxWidgets/wxWidgets/commit/ca1c3f756714b6004f1cd10f911098b30de48361
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagpcx.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds line-buffer read in wxPCXHandler::LoadFile
The PCX header's width and bytesperline are independent fields,
never cross-validated. A header with width > bytesperline produces a
small per-line buffer p and then reads p[i] for i < width past the
buffer end (the 24-bit branch additionally reads p[i + 2 * bytesperline]).
Reject the file when width exceeds bytesperline, or when either is
non-positive.
See #26441, #26443.
(cherry picked from commit edae38f44a22bd7a37339bbfdadbb408db08c796)
Commit: 1a488980a8b038b583ff34040785137d1c4a6bef
https://github.com/wxWidgets/wxWidgets/commit/1a488980a8b038b583ff34040785137d1c4a6bef
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds read in wxXPMDecoder::ReadFile on unterminated comment
When the inner loop scanning for the '*/' that closes a '/*' comment
exits because *q == '\0' (no closing marker before end-of-buffer),
the subsequent strlen(q + 2) reads past the allocated wxCharBuffer.
Bail out of the outer loop in that case.
See #26442, #26444.
(cherry picked from commit f4296791320ac13ba2ddf1e6db91ab3e8b7b0285)
Commit: e9c086f8acfb49153e33aa2037d0cc45feef054a
https://github.com/wxWidgets/wxWidgets/commit/e9c086f8acfb49153e33aa2037d0cc45feef054a
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/strings/vararg.cpp
Log Message:
-----------
Avoid another warning triggered by the last warning workaround
Initialize a variable to avoid -Wmaybe-uninitialized triggered by using
wxUnusedVar() with it now.
(cherry picked from commit f2cfcd3d2faaedfbae9b4ed7de866a15d24c4a3f)
Commit: 5c6413d412271a7d079c680d8906be622e969357
https://github.com/wxWidgets/wxWidgets/commit/5c6413d412271a7d079c680d8906be622e969357
Author: Václav Slavík <vac...@slavik.io>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/changes.txt
M src/gtk/textctrl.cpp
Log Message:
-----------
wxGTK: Fix wxTextCtrl crash with GSpell attached
The logic in wxTextCtrl::DoFreeze() for deleting leaked anonymous marks
when detaching the buffer kept raw pointers to GtkTextMark objects
without managing their reference count.
This worked for the specific internal mark targeted by this code, but
broke with other marks that may have become invalid in the meantime.
Specifically, GSpell uses such marks internally too, causing a
use-after-free crash.
Fixed by ref-counting the objects kept in m_anonymousMarkList.
See #26464.
(cherry picked from commit 7a7ab636e36cd01540c038bef2430ffcfa048681)
Commit: 1eb48abb92cb2921a18427e13bfa2cf14ea4cc8e
https://github.com/wxWidgets/wxWidgets/commit/1eb48abb92cb2921a18427e13bfa2cf14ea4cc8e
Author: Václav Slavík <vac...@slavik.io>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/contributing/translators-guide.md
M docs/doxygen/mainpages/translations.h
M docs/doxygen/overviews/internationalization.h
Log Message:
-----------
Update Poedit links
Update links to Poedit in the docs, plus adjacent things things such as
the name or current path to xgettext.
See #26465.
(cherry picked from commit 63331c31f4f04ab2ce4d255fd4d1753d143ca83a)
Commit: 191768e30b763c3efd994af0c7f1f5cac48637f9
https://github.com/wxWidgets/wxWidgets/commit/191768e30b763c3efd994af0c7f1f5cac48637f9
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/threadpsx.cpp
Log Message:
-----------
Fix computing wait end time in pthreads wxCondition implementation
The old code didn't work for the dates after 2038 due to the use of
GetLo() which discarded the high part of 64 bit time value.
Simply stop doing it to fix the bug both for wxCondition and for
wxSemaphore which uses it internally.
See #26466.
(cherry picked from commit 24e72ef30e87377c1ec7158f11f79b58dcbb3b61)
Commit: bfdfaa0b8b799ce434f426996b77085f5ebde8d5
https://github.com/wxWidgets/wxWidgets/commit/bfdfaa0b8b799ce434f426996b77085f5ebde8d5
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M docs/changes.txt
M src/generic/graphicc.cpp
Log Message:
-----------
Make GTK3 dashed line appearance similar to MSW
Scale the segment lengths to the pen width properly, and match the MSW lengths.
Apparently MSW doesn't have a long dash, so use twice the short dash for that.
See #26449.
(cherry picked from commit ec0149a9320549efd41e02c24a1b744b217d04f1)
Commit: 268d8d5beec1b5ea2614a48270d519e9f80f4e3a
https://github.com/wxWidgets/wxWidgets/commit/268d8d5beec1b5ea2614a48270d519e9f80f4e3a
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M src/gtk/dcclient.cpp
Log Message:
-----------
Make GTK2 dashed line appearance similar to MSW
See #26449.
(cherry picked from commit c968631837d74af60a8c454d2253d8f0b550949c)
Commit: 3b2774a614763c6df066b81fc6597e68e9cd6d1d
https://github.com/wxWidgets/wxWidgets/commit/3b2774a614763c6df066b81fc6597e68e9cd6d1d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M docs/changes.txt
M src/gtk/toplevel.cpp
Log Message:
-----------
Fix non-resizable TLW size on GTK when client size is set to initial size
See #26480.
(cherry picked from commit af199c40f9511663f2ae6b1dff6bda296c356c5e)
Commit: fb9fc75925e8ac3c8b98d9dcf3a486ab53702792
https://github.com/wxWidgets/wxWidgets/commit/fb9fc75925e8ac3c8b98d9dcf3a486ab53702792
Author: Stefan Csomor <cso...@advancedconcepts.ch>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M include/wx/osx/core/private.h
Log Message:
-----------
OSX 10.10 compatibility for compositing operators
* Add defines for macOS < 10.12 in private header
See #26472, #26476.
(cherry picked from commit e15db260b28951bee492307961c7690d60fa443f)
Commit: 0022c8ef919231f49f85e6074e73b0f750e345f2
https://github.com/wxWidgets/wxWidgets/commit/0022c8ef919231f49f85e6074e73b0f750e345f2
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-21 (Thu, 21 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds palette write in wxIFFDecoder::ConvertToImage()
See #26440.
(cherry picked from commit d4188f68378ddb275257d765f9b6b765a893751e)
Commit: 38da54b4c47fe2100f80992689b5c2a63ad55001
https://github.com/wxWidgets/wxWidgets/commit/38da54b4c47fe2100f80992689b5c2a63ad55001
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M tests/test.bkl
Log Message:
-----------
Add new test GIF image to CMake builds too
This should have been done in c2e5749443 (Fix crash when reading
truncated GIF image, 2023-07-02), but was forgotten there -- so do it
now, and add a comment reminding not to forget it the next time.
See #23409.
(cherry picked from commit aa77eb91b0111fdd3bce9d0b2833e43923e93705)
Commit: 60017126800df20f39d94c7f6fb1a8b8519bc85e
https://github.com/wxWidgets/wxWidgets/commit/60017126800df20f39d94c7f6fb1a8b8519bc85e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject BMP RLE absolute runs that overrun the current scanline
In src/common/imagbmp.cpp::LoadBMPData() the absolute-mode branches of
both the BI_RLE4 (around line 763) and BI_RLE8 (around line 870) decode
loops increment 'column' for each pixel without checking it against
'width'. The image buffer is sized width * height * 3 and 'poffset' is
computed as line * width * 3 + column * 3, so an absolute escape with
a count larger than (width - column) keeps writing through the rest of
the row and into adjacent rows or past the end of the buffer entirely
on the last decoded scanline.
The neighbouring encoded-mode branches at lines 798 and 896 already use
"&& column < width" to clamp runs to the row width, and the delta-mode
branch at lines 758 and 863 rejects out-of-range row offsets, so the
absolute branches are the only RLE paths left without bounds checking.
Reject the file with return false when the absolute run would extend
past the right edge of the current row, matching the existing
"return false on malformed input" pattern in the same function.
Add a regression test that loads a 4x4 8bpp RLE BMP with an absolute
escape claiming 100 pixels on the first row and expects the loader to
fail rather than write past the image buffer.
See #26496.
(cherry picked from commit d1d6605e93961e3afe5778c14f951956db55fe1e)
Commit: 597c0ab32252622fb4fe641febcefcb00d734a17
https://github.com/wxWidgets/wxWidgets/commit/597c0ab32252622fb4fe641febcefcb00d734a17
Author: jmestwa-coder <jme...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate IFF BMHD fields to prevent pixel-buffer overflow
wxIFFDecoder::ReadIFF() in src/common/imagiff.cpp parses the BMHD
chunk without bounding the width, height or bitplane count. The
subsequent pixel buffer is allocated with
m_image->p = new byte[bmhd_width * bmhd_height * 3];
using signed-int multiplication. With bmhd_width = 21849 and
bmhd_height = 65535 (both legal 16-bit BMHD values) the product
4,295,622,645 overflows int and wraps down to 655,349, so only
~640 KiB is actually allocated. The BODY decode loop then writes
3 * bmhd_width bytes per row, so a BODY chunk supplying just 10
lineskips of zeros (lineskip = 2732 for this width, total 27,320
bytes) is enough to overrun the allocation. A bmhd_bitplanes or
bmhd_width of zero also makes lineskip * bmhd_bitplanes zero and
causes a divide-by-zero in the height computation a few lines
later.
Reject malformed BMHD chunks at parse time: require positive
width, height and bitplane count, cap the bitplane count at 32
(the largest format the decoder handles is 24-bit ILBM), and cap
bmhd_width * bmhd_height so that the product multiplied by 3
stays within INT_MAX. This makes the existing int-typed buffer
size computation safe and keeps the patch local to the BMHD
parsing branch.
A unit test in tests/image/image.cpp builds the malformed IFF
described above in memory, registers the IFF handler and asserts
that LoadFile() rejects it; without the fix the test triggers a
heap-buffer-overflow during BODY decoding.
See #26497.
(cherry picked from commit d22a91e95268d2748fcf6656d70158f2c43ae234)
Commit: 61d185f16934c38e84b798335831c07007343639
https://github.com/wxWidgets/wxWidgets/commit/61d185f16934c38e84b798335831c07007343639
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/strconv.cpp
Log Message:
-----------
Fix static order initialization problem in wxCSConv
wxCSConv::wxCSConv() called during global variables initialization could
use the yet uninitialized global gs_nameCache.
Fix this in the usual way, by wrapping the global in a function to
ensure that it is always initialized before being used.
(cherry picked from commit d3fb6dcaddd15994cc21213d99aa350d4e259346)
Commit: 2d00db9e1c8b953dc7b70022f91f3266371d395a
https://github.com/wxWidgets/wxWidgets/commit/2d00db9e1c8b953dc7b70022f91f3266371d395a
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject GIF files with LZW minimum code size > 11
The minimum code size byte that follows the local colour table in
wxGIFDecoder::LoadGIF() is only checked for <= 0. dgif() sizes
ab_prefix/ab_tail with allocSize = 4096 + 1, so a value of 12
starts ab_free at 4098 and the first alphabet update at
gifdecod.cpp:457 writes one entry past the end of both arrays. The
existing wxASSERT(ab_free < allocSize) already flagged this in debug
builds. The new wxImage::BadGIFLZWMinCodeSize test feeds a 37-byte
2x1 GIF with code size 12 to LoadFile and asserts it is rejected.
See #26501.
(cherry picked from commit 71d58842ebc709c925ef8a28821a1656d6170181)
Commit: 4398e72c4a0b8144883a8857e37f6bf433c1d346
https://github.com/wxWidgets/wxWidgets/commit/4398e72c4a0b8144883a8857e37f6bf433c1d346
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/gifdecod.cpp
Log Message:
-----------
Fix memory leak when loading invalid GIF files
This was already attempted back in 56ba039411 (fixed memory leaks when
reading invalid GIFs, 2007-03-30) but the cleanup guard added there
didn't really fix anything as we need to free memory in GIFImage, not
wxGIFDecoder itself.
Really fix this now by calling the newly added GIFImage::Free() and not
wxGIFDecoder::Destroy(), which will be called by the dtor anyhow, on
error.
See #26501.
(cherry picked from commit 5bc58ae3d1a844dae30e77be3812d95c566c14f5)
Commit: d8dd2ac4dfe34e87f5cbd0bc471fc2e0b9d040d6
https://github.com/wxWidgets/wxWidgets/commit/d8dd2ac4dfe34e87f5cbd0bc471fc2e0b9d040d6
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past wxCharBuffer end on unterminated XPM quote
The quote-stripping loop in wxXPMDecoder::ReadFile() sets p = q + 1
after strncpy(). If the closing " was missing, q stopped at the
buffer terminator, so p ended up one past it and the outer for-loop's
p++ then dereferenced two bytes off the end of the wxCharBuffer.
Mirror the already-existing /*-comment treatment and break out of the
loop when *q == '\0'.
See #26499.
(cherry picked from commit 49a4dbee56bca3737a26f91ae32b6a6d6cca6f8a)
Commit: f70412d148b20a94f44b8471c74432a86b669714
https://github.com/wxWidgets/wxWidgets/commit/f70412d148b20a94f44b8471c74432a86b669714
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagtga.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject TGA files with non-zero colour map origin
ReadTGA() in src/common/imagtga.cpp allocates the palette buffer as
paletteLength * palEntrySize bytes (palette indices 0..paletteLength-1)
but the loop that fills it writes each entry at index paletteStart + i.
The paletteStart and paletteLength values come straight from the TGA
header (bytes 3-7 of the colour map specification) and aren't bounded
against each other. For any file with paletteStart > 0, the calls to
Palette_SetRGB()/Palette_SetRGBA() write past the end of the buffer:
e.g. paletteStart=100, paletteLength=10, palettebpp=24 allocates 30
bytes but writes at offsets 100..129. The subsequent
image->SetPalette(wxPalette((int) paletteLength, &palette[0], ...))
also reads from index 0 onward, so the rest of the loader was already
implicitly assuming paletteStart == 0.
Add an explicit early-return wxTGA_INVFORMAT in the colour-mapped
branch when paletteStart is non-zero, which is the assumption the
existing code makes anyway.
See #26493.
(cherry picked from commit b2d7c29f299e295637c05c5d6438ddf6eba5528b)
Commit: cb63e1caa07cef38eef5a2922e6a24dd65424552
https://github.com/wxWidgets/wxWidgets/commit/cb63e1caa07cef38eef5a2922e6a24dd65424552
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past data end in truncated IFF BODY decode
Fix iff body truncation over-read in wxIFFDecoder::ReadIFF:
wxIFFDecoder::ReadIFF() sets chunkLen = dataend - dataptr on the
truncated BODY path, which is 8 too large because bodyptr lives 8 bytes
after dataptr. The non-RLE decode loop below then reads up to 8 bytes
past the end of databuf; clamp chunkLen to dataend - bodyptr instead.
See #26505.
(cherry picked from commit c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79)
Commit: 86ff82377b8190a1d8bdb7bd100ca9a775e10a5b
https://github.com/wxWidgets/wxWidgets/commit/86ff82377b8190a1d8bdb7bd100ca9a775e10a5b
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/sound.cpp
Log Message:
-----------
Validate data chunk header room in wxSound::LoadWAV()
Don't read beyond the end of the buffer as could happen in case of a
44-byte WAV file with a 0-sized LIST chunk.
See #26506.
(cherry picked from commit 6069ea92b392948e61d1250fc24e192e8c39cea4)
Commit: 9093f4c73d7aa143c4b17d04f15bf4f98f2768f3
https://github.com/wxWidgets/wxWidgets/commit/9093f4c73d7aa143c4b17d04f15bf4f98f2768f3
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/common/zipstrm.cpp
M tests/archive/ziptest.cpp
Log Message:
-----------
Reject too-short ZIP64 extra field in wxZipEntry::LoadExtraInfo()
wxZipEntry::LoadExtraInfo() calls wxZipHeader::Read64() up to three
times on a wxZipHeader of length min(fieldLen, 28). Read64() doesn't
bounds-check m_pos against m_size, so a short ZIP64 extra field returns
uninitialised bytes from the header's 64-byte stack-allocated m_data and
they end up in the entry's m_Size / m_CompressedSize / m_Offset. Reject the
entry when fieldLen is below the requested 64-bit total.
See #26507.
(cherry picked from commit b29393b32796e543db335bfebd5045af2744c0c5)
Commit: 30135386e3fd20b85c17b390871df905cbcc1bd2
https://github.com/wxWidgets/wxWidgets/commit/30135386e3fd20b85c17b390871df905cbcc1bd2
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Fix off-by-one buffer overflow in wxWebViewIE
wcscpy calling wasn't leaving space for the nul terminator
See #26508.
(cherry picked from commit 313fbb08b448b92000e8136bf5f278b968eda888)
Commit: fbec26062b768e1e5ca642621a7c1377c60d6e9e
https://github.com/wxWidgets/wxWidgets/commit/fbec26062b768e1e5ca642621a7c1377c60d6e9e
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/ole/uuid.cpp
Log Message:
-----------
Fix typo in UuidToCForm format string and use bounded wxSnprintf
See #26508.
(cherry picked from commit b6bfeaac4978f08057c12b099224a01907e702bf)
Commit: a76b6c8efed24eb0c22269e868254959f6662ce3
https://github.com/wxWidgets/wxWidgets/commit/a76b6c8efed24eb0c22269e868254959f6662ce3
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Get charset from CHARFORMAT in wxTextCtrl instead of hardcoding ANSI_CHARSET
See #26508.
(cherry picked from commit b1722286466ffdea9f0f9a5caeb79150f019d398)
Commit: c60dbd15ff19072ea520f47102679e01eaf329f1
https://github.com/wxWidgets/wxWidgets/commit/c60dbd15ff19072ea520f47102679e01eaf329f1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M docs/changes.txt
M src/common/anidecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate ANI frame indices against loaded icon count
The SEQ chunk of an ANI file gives a 32-bit image index per animation
step. These values were stored into wxANIFrameInfo::m_imageIndex
verbatim, without any check against the number of icon chunks actually
loaded into m_images. wxANIDecoder::ConvertToImage() and
GetTransparentColour() then used the value as an index into m_images
directly, so a malformed ANI file could trigger an out-of-bounds vector
access when the file is displayed.
Reject the file in Load() if any of the indices is negative or points
past the end of m_images, and also reject files that produced no icon
chunks at all so the subsequent m_images[0] reference is safe.
See #26492.
(cherry picked from commit a676a0f1f51f5c94036d64df3863664586937aa6)
Commit: d301e9ed5ed834c6c49d543da8c291eb08c9f619
https://github.com/wxWidgets/wxWidgets/commit/d301e9ed5ed834c6c49d543da8c291eb08c9f619
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate 4-bit BMP palette index against number of colors
Fix out-of-bounds read when decoding 4bpp BMP with invalid palette
indices.
See #26511.
(cherry picked from commit b47e2bb3527862397cafc7d200637db2ec0194f8)
Commit: d41256470b96c2f9c63c0c0b9c658c92831c5c53
https://github.com/wxWidgets/wxWidgets/commit/d41256470b96c2f9c63c0c0b9c658c92831c5c53
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-27 (Wed, 27 May 2026)
Changed paths:
M docs/changes.txt
M src/common/strconv.cpp
M tests/mbconv/mbconvtest.cpp
Log Message:
-----------
Fix out-of-bounds table read in wxMBConvUTF7::ToWChar()
In wxMBConvUTF7::ToWChar() the value of the byte after '+' was cast to
"unsigned", which meant that on the platforms with signed bytes values
greater than 0x80 were sign-extended to a ~4GiB index which was (way)
out of bounds for a 256-entry table.
Fix the code by casting to "unsigned char", like the cc lookup just
above already does.
See #26517.
(cherry picked from commit f5c81bc5de564eb2b27414179b7902559dc6a115)
Commit: 1175aa020c6023b9c7030d8793de8c20cdd84c00
https://github.com/wxWidgets/wxWidgets/commit/1175aa020c6023b9c7030d8793de8c20cdd84c00
Author: ryancog <17038122...@users.noreply.github.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M interface/wx/uri.h
Log Message:
-----------
Fix wxURI::IsReference() description
The documentation described the inverse of the name of the
function and what it actually did, fix it to describe the actual
function behaviour.
See #26520.
(cherry picked from commit 41969e24dc95c54f900f1fe9c48ac0771ff29246)
Commit: 3bc57e47369ef9996e91568491dc9c975c984f1c
https://github.com/wxWidgets/wxWidgets/commit/3bc57e47369ef9996e91568491dc9c975c984f1c
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix one-byte over-read in IFF decomprle replicate packet
The replicate-run branch reads the packet's data byte after only
checking that one source byte remains, but it consumes two (the control
byte plus the data byte). A BODY ending in a lone replicate control byte
then reads one byte past the input buffer. Require two bytes left,
matching the literal-run check above.
See #26518.
(cherry picked from commit 83d55d0a9027e3798c5444554586b85cfba06015)
Commit: 92bbcac5b71910395522b91306e281558ff095e3
https://github.com/wxWidgets/wxWidgets/commit/92bbcac5b71910395522b91306e281558ff095e3
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M include/wx/translation.h
M src/common/translation.cpp
M version-script.in
Log Message:
-----------
Always define wxMsgCatalog dtor in the library
Objects of this class previously couldn't be used when using shared wx
libraries because their default, compiler-generated, dtor referenced
dtor of wxPluralFormsCalculatorPtr which was not exported from the
library.
Fix this by defining wxMsgCatalog dtor inside the library too.
Commit: 4864782d8714120a8c2e3035080a6d38e4142ee8
https://github.com/wxWidgets/wxWidgets/commit/4864782d8714120a8c2e3035080a6d38e4142ee8
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/translation.cpp
M tests/intl/intltest.cpp
Log Message:
-----------
Fix buffer overflow when loading invalid message catalogs
Avoid integer overflow in message catalog StringAtOfs() bounds check:
StringAtOfs() read ofsString and nLen from the .mo file and checked
ofsString + nLen against the data length, but both are 32-bit so the
sum wraps and a translated entry declaring nLen 0xffffffff passes the
check; FillHash() then scans past the end of the catalog. Compute the
offset as a 64-bit value so the addition can't overflow and result in an
invalid index into the buffer.
Add a test feeding such a catalog through wxMsgCatalog::CreateFromData().
See #26513.
(cherry picked from commit 2647c0806ff1d1caac4056e6760b996d72a409b1)
Commit: f77f70b1098aac8caf1255da59b271897ba52560
https://github.com/wxWidgets/wxWidgets/commit/f77f70b1098aac8caf1255da59b271897ba52560
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix buffer overflow on invalid width in wxXPMDecoder
Fix integer overflow in wxXPMDecoder::ReadData() when computing
width*chars_per_pixel: a header with a (very) large width could result
in wrapping around and result in reasonable but yet invalid value, which
could let the key-reading loop run off the end of the buffer.
Compute the product in 64-bits to avoid the overflow.
See #26519.
(cherry picked from commit 46f928d057a478bf4202f4ee381d74d9a0d7543e)
Commit: 0d53937af2fcce3145f02e6c330c9dacab164c3d
https://github.com/wxWidgets/wxWidgets/commit/0d53937af2fcce3145f02e6c330c9dacab164c3d
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/sound.cpp
Log Message:
-----------
Fix data-size bound check past LIST chunk in wxSound::LoadWAV()
The check compared ul against length minus the fixed offset FMT_INDEX +
uiSize + 16, which equals data_offset + 8 only when no LIST chunk is
present. When a LIST chunk is present data_offset has already been
advanced past it, so a crafted WAV can pass this check with ul larger
than the bytes that actually follow the data-chunk header, and the
OSS/SDL playback paths then read past m_dataWithHeader. Use data_offset
directly so the same constraint holds either way.
See #26525.
(cherry picked from commit 262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d)
Commit: 3c5d06ab39e75490cf4d080eec0472a7b17a46b6
https://github.com/wxWidgets/wxWidgets/commit/3c5d06ab39e75490cf4d080eec0472a7b17a46b6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M include/wx/buffer.h
M tests/strings/strings.cpp
Log Message:
-----------
Avoid buffer read overflow in wxCharTypeBuffer ctor
Don't assume that the data is always followed by NUL.
See #26527.
(cherry picked from commit cf50020259ebf5f73b00138599f3ad958ae156fe)
Commit: 15b402e625cc9626543e39dfd8c09eb7dfb22c65
https://github.com/wxWidgets/wxWidgets/commit/15b402e625cc9626543e39dfd8c09eb7dfb22c65
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Make recently added wxXPMDecoder test case really pass
We need to use memmove() and not strncpy() in wxXPMDecoder code as
nothing guarantees that the source and destination regions don't overlap
and they did overlap, in fact, for the test case added as part of
46f928d057 (Fix buffer overflow on invalid width in wxXPMDecoder,
2026-05-27).
Also make the test itself more explicit by hard-coding the test XPM
instead of constructing it dynamically.
See #26519.
(cherry picked from commit ccff9fe0f3ef3cc812da9b56bd56b5bc3273ddec)
Commit: a1cac3c23f7f271e22902b3cca9df63b1b59feef
https://github.com/wxWidgets/wxWidgets/commit/a1cac3c23f7f271e22902b3cca9df63b1b59feef
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/sckaddr.cpp
Log Message:
-----------
Fix buffer overflow in deepCopyHostent() name copy
This function, which is called by wxGethostby{name,addr}_r() if native
implementations of these functions are not available, could overflow the
input buffer by a byte if the host name was equal to the buffer size.
Fix the check for length, which also makes it consistent with the check
in deepCopyServent() just below.
See #26528.
(cherry picked from commit 7348f005b7f768634d79233a268bf42d7bee5893)
Commit: 9c94b432a2dfa371827d6a05f75642915b39422f
https://github.com/wxWidgets/wxWidgets/commit/9c94b432a2dfa371827d6a05f75642915b39422f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/tarstrm.cpp
M tests/archive/tartest.cpp
Log Message:
-----------
Fix integer overflow in tar extended header bounds check
recSize in wxTarInputStream::ReadExtendedHeader() comes from the
record's decimal byte-count field, so a pax header declaring a length
close to SIZE_MAX makes recPos + recSize wrap below len and pass the
check. The following pRec[recSize - 1] then reads far past the buffer,
which ASAN flags as a heap-buffer-overflow.
Comparing recSize against len - recPos avoids the wrap.
See #26530.
(cherry picked from commit 4cf9de30097c43447bc8e71054ee3212a8f879e3)
Commit: a3b244bd5f556293a4b1e4715ee0fbee6dbb9faf
https://github.com/wxWidgets/wxWidgets/commit/a3b244bd5f556293a4b1e4715ee0fbee6dbb9faf
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/mimecmn.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing % in wxFileType::ExpandCommand()
A command ending in a bare '%' made the loop advance in this function
advance past the end of string.
Fix this by handling only non-trailing '%' specifically
See #26531.
(cherry picked from commit 18582927af8bb7e0f8283f7c4c854db7377d0272)
Commit: bb347b7dc6660e9d2087b00fcf98253e21f66a2f
https://github.com/wxWidgets/wxWidgets/commit/bb347b7dc6660e9d2087b00fcf98253e21f66a2f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate decoded pixel indices in wxGIFDecoder::ConvertToImage()
Avoid reading uninitialized memory if any of the pixels in the input
data reference entries beyond the end of the palette.
See #26521.
(cherry picked from commit 86bc0762efcee173963d8002934d592141a0e1ae)
Commit: 741fdc724274171dcba6c13cd871271bfb039fe4
https://github.com/wxWidgets/wxWidgets/commit/741fdc724274171dcba6c13cd871271bfb039fe4
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid writing beyond the buffer end for GIFs with zero size
Reject GIF frames with zero width or height to avoid writing beyond the
(empty) buffer returned by malloc(0).
See #26524.
(cherry picked from commit 830ec3c439ee58f84bb4c214fabe37c5e7d4eaa1)
Commit: 87078e90688839a9f9c9bedb0e1cfdec320b6bd1
https://github.com/wxWidgets/wxWidgets/commit/87078e90688839a9f9c9bedb0e1cfdec320b6bd1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/wxcrt.cpp
M src/common/wxprintf.cpp
M tests/strings/crt.cpp
Log Message:
-----------
Fix buffer overflow in wxVsnprintf() when size==0
Don't write NUL byte to "buf[size - 1]" when size is 0.
This bug was present in both implementations of wxVsnprintf(), so fix it
in both places too.
See #26522.
(cherry picked from commit a3ad8e33602aff06e57a7d3637df546cc07593b0)
Commit: 5093c11308637e3e2a20370960b6e4d10874557f
https://github.com/wxWidgets/wxWidgets/commit/5093c11308637e3e2a20370960b6e4d10874557f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-06-01 (Mon, 01 Jun 2026)
Changed paths:
M docs/changes.txt
M src/common/regex.cpp
M tests/regex/wxregextest.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing backslash in wxRegEx::Replace()
wxRegExImpl::Replace() scans replacement.c_str() and does *++p after a
backslash. When the replacement ends in a lone backslash, that reads the
terminating NUL, the else branch appends it, and the loop's p++ then
steps one byte past the NUL so the *p condition reads out of bounds.
Keep a trailing backslash verbatim and stop before the increment.
Add a test checking that this doesn't result in ASAN errors any more.
See #26541.
(cherry picked from commit 9b0eb807cd03eb9ba517b8d5371c91d811a7682b)
Compare: https://github.com/wxWidgets/wxWidgets/compare/95bfcbc82c62...5093c1130863
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: e0faab1ca3586ae02d44174abd3a056b9ec1a39b
https://github.com/wxWidgets/wxWidgets/commit/e0faab1ca3586ae02d44174abd3a056b9ec1a39b
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
M tests/intl/intltest.cpp
M tests/strings/vararg.cpp
Log Message:
-----------
Avoid harmless -Wunused-variable in unit tests
This warning used to be suppressed in Catch headers, but this is not the
case any longer, so work around it in the tests themselves now.
(cherry picked from commit 895dd8424c9e3cfbf451279c2617121e6b140b1c)
Commit: ce957f451fb5c80ec8ab8905000649a5fa4a50e9
https://github.com/wxWidgets/wxWidgets/commit/ce957f451fb5c80ec8ab8905000649a5fa4a50e9
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Log image information earlier in the image unit test
Use INFO() before some checks that may already fail to at least show in
which test the failures occur.
(cherry picked from commit 612dfa447a521ea2dec5bdbf49843e245dd8de35)
Commit: 948c62526f58d90d423432f40f9189e15838792d
https://github.com/wxWidgets/wxWidgets/commit/948c62526f58d90d423432f40f9189e15838792d
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Relax checks for image equality in wxImage::ChangeColours
Allow difference of 1 as this is what we get when using -O2 with gcc 12.
(cherry picked from commit f77390551ff5bd390063885524cf90222734c766)
Commit: 03d55ccba5cbbcf863d9b2680a117c9c4b37df34
https://github.com/wxWidgets/wxWidgets/commit/03d55ccba5cbbcf863d9b2680a117c9c4b37df34
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Improve wxImage::ChangeColours test code
Use a helper function to both make it shorter and provide more
information in case of a check failure: now the output will include the
name of the file, comparing with which failed, allowing to immediately
see which test failed.
(cherry picked from commit 2ed4e6bee4ee7659405862f5ff311429c44338f5)
Commit: 273a100dc258638b8a71494350149f5a4c7888c6
https://github.com/wxWidgets/wxWidgets/commit/273a100dc258638b8a71494350149f5a4c7888c6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Improve TIFF saving test code
Give more details in case of failure by using INFO() and use simple
CHECK()s instead of ugly WX_ASSERT_EQUAL_MESSAGE as they will show the
failing test anyhow.
No real changes.
(cherry picked from commit c9efe227630c45533a914f1d517446842394b39c)
Commit: 65a3974170123a3f0b5ff6e9a0ed7731c34bbd53
https://github.com/wxWidgets/wxWidgets/commit/65a3974170123a3f0b5ff6e9a0ed7731c34bbd53
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Remove CppUnit boilerplate in wxImage unit test
No real changes, just remove all the ugly compatibility macros.
(cherry picked from commit d56d773a557d1fd2e4e9484b1807f4d4df0a440a)
Commit: 5342ba2e4b20c6d9c5c169ef7dd2eeb3b3f71109
https://github.com/wxWidgets/wxWidgets/commit/5342ba2e4b20c6d9c5c169ef7dd2eeb3b3f71109
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M src/msw/dib.cpp
M tests/Makefile.in
A tests/image/bitfields-alpha.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Correct loading of `BI_BITFIELDS` bitmaps
This fixes several minor bugs in the loading of `BI_BITFIELDS` bitmaps,
related to handling different header sizes and the colour and alpha
masks.
See #23601.
(cherry picked from commit d78e9fb1cb7718f9d62c9ad400a97dea23b179bd)
Commit: 33e6f770ab582b66916e6d0ad5231a6682c3fbbc
https://github.com/wxWidgets/wxWidgets/commit/33e6f770ab582b66916e6d0ad5231a6682c3fbbc
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/Makefile.in
A tests/image/bad_truncated.gif
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Add tests for reading truncated GIF image
This should have been part of 217ecf0096 (Fix crash when reading
truncated GIF image, 2023-07-02).
See #23409.
Commit: 235cb8bf3dd3609953519f4b132b8b513fc85bd2
https://github.com/wxWidgets/wxWidgets/commit/235cb8bf3dd3609953519f4b132b8b513fc85bd2
Author: paulcor <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/32bpp_rgb.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Fix loading BMP files which use 32bpp but do not have valid alpha
Based on the behavior of WIN32 LoadFile(), and the gdk-pixbuf BMP loader
source code, the alpha values are ignored unless the compression method
is BI_BITFIELDS.
See #10915, #24219.
(cherry picked from commit b21642b72b4128f0b64ed7d79b4d320cbfc35497)
Commit: b0db3a9fdb7d46580860549423c4c1b42166c87d
https://github.com/wxWidgets/wxWidgets/commit/b0db3a9fdb7d46580860549423c4c1b42166c87d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/32bpp_rgb.bmp
A tests/image/32bpp_rgb.ico
M tests/image/image.cpp
Log Message:
-----------
Fix loading ICO files with alpha broken by parent commit
The rules are different than for BMP files. Broken by parent 3676d34f8e
(Fix loading BMP files which use 32bpp but do not have valid alpha,
2024-11-04) which was backported from master as is.
See #24219, #24955.
(cherry picked from commit b321af212d1923cef590675510c885762ece47c5)
Commit: 2807118e02c3f8cd5968e4d07d8174f1b6b209a1
https://github.com/wxWidgets/wxWidgets/commit/2807118e02c3f8cd5968e4d07d8174f1b6b209a1
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/32bpp_rgb_a0.ico
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Fix loading ICO files with fully transparent alpha
Windows behavior is to ignore alpha in that case. Broken by grand parent
commit 3676d34f8e (Fix loading BMP files which use 32bpp but do not have
valid alpha, 2024-11-04) backported as is from master.
(cherry picked from commit dc83c4ca0eaa247950aaa9a9e114a21b46b6ae17)
Commit: 282d71e0dab88143423652d1ee02ecd07e16018d
https://github.com/wxWidgets/wxWidgets/commit/282d71e0dab88143423652d1ee02ecd07e16018d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
A tests/image/badrle4.bmp
M tests/image/image.cpp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Avoid memory overwrite on malformed BMP with invalid RLE data
(cherry picked from commit 443b64c11cc2b44a0fd713e90efa4300e279ea59)
Commit: f5b1ffe755f5d15756827d53df9c4900e0abe1de
https://github.com/wxWidgets/wxWidgets/commit/f5b1ffe755f5d15756827d53df9c4900e0abe1de
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb16-3103.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Avoid negative shift count with valid BMP file
Detected by undefined behavior sanitizer, on a file with 16 bpp and a color
component of more than 8 bits. Fix by using a different, and more accurate,
method to scale color components to 8 bits.
(cherry picked from commit 05404fd3796075b10e352288481e4b40cf44ddca)
Commit: b30bb76293b6d06361c3f5eb00677033d26bd5d4
https://github.com/wxWidgets/wxWidgets/commit/b30bb76293b6d06361c3f5eb00677033d26bd5d4
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
M tests/image/rle8-delta-320x240-expected.bmp
Log Message:
-----------
Correct delta-RLE bitmap background colour
Use black instead of the first palette colour for the implicit
background for RLE bitmaps for consistency with Windows itself.
See #23599.
(cherry picked from commit b473163da20c1f36caaf2e4db512bb8fb4d73a93)
Commit: 4adc01192be9ba095a51c6a01654195ea6a55244
https://github.com/wxWidgets/wxWidgets/commit/4adc01192be9ba095a51c6a01654195ea6a55244
Author: Brian Nixon <nix...@yahoo.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
M tests/image/rle8-delta-320x240-expected.bmp
Log Message:
-----------
Restore old delta-RLE bitmap background setting
Revert the change introduced in parent commit c7378c6aa3 (Correct
delta-RLE bitmap background colour, 2023-06-02) cherry-picked from
master as is, and restore the setting of the background of delta-RLE
bitmaps to the first entry in the colour table. This retains earlier
wxWidgets behaviour and matches Windows `LoadImage()` with
`LR_CREATEDIBSECTION`.
See #23638, #23657.
(cherry picked from commit e1e2e982e30cfcc8d07e1ee4d4e5ce6964fc619d)
Commit: c83ef3189b89854c369f0e3dd533a0a30293daf6
https://github.com/wxWidgets/wxWidgets/commit/c83ef3189b89854c369f0e3dd533a0a30293daf6
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid assertion failure on BMP file with invalid or too-large size
(cherry picked from commit 5ff83b400c96a12adb2222adce1391c9bd7f6503)
Commit: 4b9915d9462c77c3696448d433feacc5b3e77463
https://github.com/wxWidgets/wxWidgets/commit/4b9915d9462c77c3696448d433feacc5b3e77463
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M src/common/imagbmp.cpp
Log Message:
-----------
Reduce the scope of some local variables
And switch to unsigned types for things which are not signed.
(cherry picked from commit b8199fa9ceae805189ddd325c982e52cc8bd4757)
Commit: 1c677c7c5872afb4883b0f40e00bb698ca5e773e
https://github.com/wxWidgets/wxWidgets/commit/1c677c7c5872afb4883b0f40e00bb698ca5e773e
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb32-7187.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Up-scale BMP color components using Windows-compatible method
This allows tests to compare against native behavior under Windows
(cherry picked from commit 45a7efd6425c2eb0dc6e7cab5d813b9847e165bf)
Commit: 99cd1bed5f0f48d4cd386433297988791fa85b2d
https://github.com/wxWidgets/wxWidgets/commit/99cd1bed5f0f48d4cd386433297988791fa85b2d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M src/common/imagbmp.cpp
M tests/Makefile.in
M tests/image/image.cpp
A tests/image/rgb32bf.bmp
A tests/image/rgba32.bmp
M tests/makefile.gcc
M tests/makefile.vc
M tests/test.bkl
Log Message:
-----------
Handle BMP alpha the same way Windows does
Windows ignores alpha unless the format is 8-bit ARGB, and alpha is not
all zeros.
(cherry picked from commit e7e352d5f4315116656e21a996c08864021ff80b)
Commit: fa5dca61d663f1b85316ce1080586c3b5bac1936
https://github.com/wxWidgets/wxWidgets/commit/fa5dca61d663f1b85316ce1080586c3b5bac1936
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/image/image.cpp
Log Message:
-----------
Fix BMP test under Wine
Apparently Wine does not handle BMP exactly like Windows
(cherry picked from commit 4d5fbf5afa276ebec0fed95c8feb5d6ec485622d)
Commit: 94462af4093c4692ddc7b8653a8c2cbb880e9113
https://github.com/wxWidgets/wxWidgets/commit/94462af4093c4692ddc7b8653a8c2cbb880e9113
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds palette read in 8bpp BMP decoder
The non-RLE 8bpp branch at imagbmp.cpp:903, plus the RLE absolute and
RLE encoded branches a few lines above, all index cmap[aByte] without
checking aByte against the palette colour count. A BMP that pairs a
small palette with a colour-index byte >= ncolors reads past the
palette and the value flows into the decoded pixel.
Reject the file (return false) at each site, matching the surrounding
"return false on malformed input" pattern.
See #26438, #26439.
(cherry picked from commit b305cb4e4de77fb37807aa89e02643c4b0240d8f)
Commit: ca1c3f756714b6004f1cd10f911098b30de48361
https://github.com/wxWidgets/wxWidgets/commit/ca1c3f756714b6004f1cd10f911098b30de48361
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagpcx.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds line-buffer read in wxPCXHandler::LoadFile
The PCX header's width and bytesperline are independent fields,
never cross-validated. A header with width > bytesperline produces a
small per-line buffer p and then reads p[i] for i < width past the
buffer end (the 24-bit branch additionally reads p[i + 2 * bytesperline]).
Reject the file when width exceeds bytesperline, or when either is
non-positive.
See #26441, #26443.
(cherry picked from commit edae38f44a22bd7a37339bbfdadbb408db08c796)
Commit: 1a488980a8b038b583ff34040785137d1c4a6bef
https://github.com/wxWidgets/wxWidgets/commit/1a488980a8b038b583ff34040785137d1c4a6bef
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds read in wxXPMDecoder::ReadFile on unterminated comment
When the inner loop scanning for the '*/' that closes a '/*' comment
exits because *q == '\0' (no closing marker before end-of-buffer),
the subsequent strlen(q + 2) reads past the allocated wxCharBuffer.
Bail out of the outer loop in that case.
See #26442, #26444.
(cherry picked from commit f4296791320ac13ba2ddf1e6db91ab3e8b7b0285)
Commit: e9c086f8acfb49153e33aa2037d0cc45feef054a
https://github.com/wxWidgets/wxWidgets/commit/e9c086f8acfb49153e33aa2037d0cc45feef054a
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
M tests/strings/vararg.cpp
Log Message:
-----------
Avoid another warning triggered by the last warning workaround
Initialize a variable to avoid -Wmaybe-uninitialized triggered by using
wxUnusedVar() with it now.
(cherry picked from commit f2cfcd3d2faaedfbae9b4ed7de866a15d24c4a3f)
Commit: 5c6413d412271a7d079c680d8906be622e969357
https://github.com/wxWidgets/wxWidgets/commit/5c6413d412271a7d079c680d8906be622e969357
Author: Václav Slavík <vac...@slavik.io>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/changes.txt
M src/gtk/textctrl.cpp
Log Message:
-----------
wxGTK: Fix wxTextCtrl crash with GSpell attached
The logic in wxTextCtrl::DoFreeze() for deleting leaked anonymous marks
when detaching the buffer kept raw pointers to GtkTextMark objects
without managing their reference count.
This worked for the specific internal mark targeted by this code, but
broke with other marks that may have become invalid in the meantime.
Specifically, GSpell uses such marks internally too, causing a
use-after-free crash.
Fixed by ref-counting the objects kept in m_anonymousMarkList.
See #26464.
(cherry picked from commit 7a7ab636e36cd01540c038bef2430ffcfa048681)
Commit: 1eb48abb92cb2921a18427e13bfa2cf14ea4cc8e
https://github.com/wxWidgets/wxWidgets/commit/1eb48abb92cb2921a18427e13bfa2cf14ea4cc8e
Author: Václav Slavík <vac...@slavik.io>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/contributing/translators-guide.md
M docs/doxygen/mainpages/translations.h
M docs/doxygen/overviews/internationalization.h
Log Message:
-----------
Update Poedit links
Update links to Poedit in the docs, plus adjacent things things such as
the name or current path to xgettext.
See #26465.
(cherry picked from commit 63331c31f4f04ab2ce4d255fd4d1753d143ca83a)
Commit: 191768e30b763c3efd994af0c7f1f5cac48637f9
https://github.com/wxWidgets/wxWidgets/commit/191768e30b763c3efd994af0c7f1f5cac48637f9
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/threadpsx.cpp
Log Message:
-----------
Fix computing wait end time in pthreads wxCondition implementation
The old code didn't work for the dates after 2038 due to the use of
GetLo() which discarded the high part of 64 bit time value.
Simply stop doing it to fix the bug both for wxCondition and for
wxSemaphore which uses it internally.
See #26466.
(cherry picked from commit 24e72ef30e87377c1ec7158f11f79b58dcbb3b61)
Commit: bfdfaa0b8b799ce434f426996b77085f5ebde8d5
https://github.com/wxWidgets/wxWidgets/commit/bfdfaa0b8b799ce434f426996b77085f5ebde8d5
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M docs/changes.txt
M src/generic/graphicc.cpp
Log Message:
-----------
Make GTK3 dashed line appearance similar to MSW
Scale the segment lengths to the pen width properly, and match the MSW lengths.
Apparently MSW doesn't have a long dash, so use twice the short dash for that.
See #26449.
(cherry picked from commit ec0149a9320549efd41e02c24a1b744b217d04f1)
Commit: 268d8d5beec1b5ea2614a48270d519e9f80f4e3a
https://github.com/wxWidgets/wxWidgets/commit/268d8d5beec1b5ea2614a48270d519e9f80f4e3a
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M src/gtk/dcclient.cpp
Log Message:
-----------
Make GTK2 dashed line appearance similar to MSW
See #26449.
(cherry picked from commit c968631837d74af60a8c454d2253d8f0b550949c)
Commit: 3b2774a614763c6df066b81fc6597e68e9cd6d1d
https://github.com/wxWidgets/wxWidgets/commit/3b2774a614763c6df066b81fc6597e68e9cd6d1d
Author: Paul Cornett <pau...@users.noreply.github.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M docs/changes.txt
M src/gtk/toplevel.cpp
Log Message:
-----------
Fix non-resizable TLW size on GTK when client size is set to initial size
See #26480.
(cherry picked from commit af199c40f9511663f2ae6b1dff6bda296c356c5e)
Commit: fb9fc75925e8ac3c8b98d9dcf3a486ab53702792
https://github.com/wxWidgets/wxWidgets/commit/fb9fc75925e8ac3c8b98d9dcf3a486ab53702792
Author: Stefan Csomor <cso...@advancedconcepts.ch>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M include/wx/osx/core/private.h
Log Message:
-----------
OSX 10.10 compatibility for compositing operators
* Add defines for macOS < 10.12 in private header
See #26472, #26476.
(cherry picked from commit e15db260b28951bee492307961c7690d60fa443f)
Commit: 0022c8ef919231f49f85e6074e73b0f750e345f2
https://github.com/wxWidgets/wxWidgets/commit/0022c8ef919231f49f85e6074e73b0f750e345f2
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-21 (Thu, 21 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid out-of-bounds palette write in wxIFFDecoder::ConvertToImage()
See #26440.
(cherry picked from commit d4188f68378ddb275257d765f9b6b765a893751e)
Commit: 38da54b4c47fe2100f80992689b5c2a63ad55001
https://github.com/wxWidgets/wxWidgets/commit/38da54b4c47fe2100f80992689b5c2a63ad55001
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M build/cmake/tests/gui/CMakeLists.txt
M tests/test.bkl
Log Message:
-----------
Add new test GIF image to CMake builds too
This should have been done in c2e5749443 (Fix crash when reading
truncated GIF image, 2023-07-02), but was forgotten there -- so do it
now, and add a comment reminding not to forget it the next time.
See #23409.
(cherry picked from commit aa77eb91b0111fdd3bce9d0b2833e43923e93705)
Commit: 60017126800df20f39d94c7f6fb1a8b8519bc85e
https://github.com/wxWidgets/wxWidgets/commit/60017126800df20f39d94c7f6fb1a8b8519bc85e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject BMP RLE absolute runs that overrun the current scanline
In src/common/imagbmp.cpp::LoadBMPData() the absolute-mode branches of
both the BI_RLE4 (around line 763) and BI_RLE8 (around line 870) decode
loops increment 'column' for each pixel without checking it against
'width'. The image buffer is sized width * height * 3 and 'poffset' is
computed as line * width * 3 + column * 3, so an absolute escape with
a count larger than (width - column) keeps writing through the rest of
the row and into adjacent rows or past the end of the buffer entirely
on the last decoded scanline.
The neighbouring encoded-mode branches at lines 798 and 896 already use
"&& column < width" to clamp runs to the row width, and the delta-mode
branch at lines 758 and 863 rejects out-of-range row offsets, so the
absolute branches are the only RLE paths left without bounds checking.
Reject the file with return false when the absolute run would extend
past the right edge of the current row, matching the existing
"return false on malformed input" pattern in the same function.
Add a regression test that loads a 4x4 8bpp RLE BMP with an absolute
escape claiming 100 pixels on the first row and expects the loader to
fail rather than write past the image buffer.
See #26496.
(cherry picked from commit d1d6605e93961e3afe5778c14f951956db55fe1e)
Commit: 597c0ab32252622fb4fe641febcefcb00d734a17
https://github.com/wxWidgets/wxWidgets/commit/597c0ab32252622fb4fe641febcefcb00d734a17
Author: jmestwa-coder <jme...@gmail.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate IFF BMHD fields to prevent pixel-buffer overflow
wxIFFDecoder::ReadIFF() in src/common/imagiff.cpp parses the BMHD
chunk without bounding the width, height or bitplane count. The
subsequent pixel buffer is allocated with
m_image->p = new byte[bmhd_width * bmhd_height * 3];
using signed-int multiplication. With bmhd_width = 21849 and
bmhd_height = 65535 (both legal 16-bit BMHD values) the product
4,295,622,645 overflows int and wraps down to 655,349, so only
~640 KiB is actually allocated. The BODY decode loop then writes
3 * bmhd_width bytes per row, so a BODY chunk supplying just 10
lineskips of zeros (lineskip = 2732 for this width, total 27,320
bytes) is enough to overrun the allocation. A bmhd_bitplanes or
bmhd_width of zero also makes lineskip * bmhd_bitplanes zero and
causes a divide-by-zero in the height computation a few lines
later.
Reject malformed BMHD chunks at parse time: require positive
width, height and bitplane count, cap the bitplane count at 32
(the largest format the decoder handles is 24-bit ILBM), and cap
bmhd_width * bmhd_height so that the product multiplied by 3
stays within INT_MAX. This makes the existing int-typed buffer
size computation safe and keeps the patch local to the BMHD
parsing branch.
A unit test in tests/image/image.cpp builds the malformed IFF
described above in memory, registers the IFF handler and asserts
that LoadFile() rejects it; without the fix the test triggers a
heap-buffer-overflow during BODY decoding.
See #26497.
(cherry picked from commit d22a91e95268d2748fcf6656d70158f2c43ae234)
Commit: 61d185f16934c38e84b798335831c07007343639
https://github.com/wxWidgets/wxWidgets/commit/61d185f16934c38e84b798335831c07007343639
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/strconv.cpp
Log Message:
-----------
Fix static order initialization problem in wxCSConv
wxCSConv::wxCSConv() called during global variables initialization could
use the yet uninitialized global gs_nameCache.
Fix this in the usual way, by wrapping the global in a function to
ensure that it is always initialized before being used.
(cherry picked from commit d3fb6dcaddd15994cc21213d99aa350d4e259346)
Commit: 2d00db9e1c8b953dc7b70022f91f3266371d395a
https://github.com/wxWidgets/wxWidgets/commit/2d00db9e1c8b953dc7b70022f91f3266371d395a
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject GIF files with LZW minimum code size > 11
The minimum code size byte that follows the local colour table in
wxGIFDecoder::LoadGIF() is only checked for <= 0. dgif() sizes
ab_prefix/ab_tail with allocSize = 4096 + 1, so a value of 12
starts ab_free at 4098 and the first alphabet update at
gifdecod.cpp:457 writes one entry past the end of both arrays. The
existing wxASSERT(ab_free < allocSize) already flagged this in debug
builds. The new wxImage::BadGIFLZWMinCodeSize test feeds a 37-byte
2x1 GIF with code size 12 to LoadFile and asserts it is rejected.
See #26501.
(cherry picked from commit 71d58842ebc709c925ef8a28821a1656d6170181)
Commit: 4398e72c4a0b8144883a8857e37f6bf433c1d346
https://github.com/wxWidgets/wxWidgets/commit/4398e72c4a0b8144883a8857e37f6bf433c1d346
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M src/common/gifdecod.cpp
Log Message:
-----------
Fix memory leak when loading invalid GIF files
This was already attempted back in 56ba039411 (fixed memory leaks when
reading invalid GIFs, 2007-03-30) but the cleanup guard added there
didn't really fix anything as we need to free memory in GIFImage, not
wxGIFDecoder itself.
Really fix this now by calling the newly added GIFImage::Free() and not
wxGIFDecoder::Destroy(), which will be called by the dtor anyhow, on
error.
See #26501.
(cherry picked from commit 5bc58ae3d1a844dae30e77be3812d95c566c14f5)
Commit: d8dd2ac4dfe34e87f5cbd0bc471fc2e0b9d040d6
https://github.com/wxWidgets/wxWidgets/commit/d8dd2ac4dfe34e87f5cbd0bc471fc2e0b9d040d6
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past wxCharBuffer end on unterminated XPM quote
The quote-stripping loop in wxXPMDecoder::ReadFile() sets p = q + 1
after strncpy(). If the closing " was missing, q stopped at the
buffer terminator, so p ended up one past it and the outer for-loop's
p++ then dereferenced two bytes off the end of the wxCharBuffer.
Mirror the already-existing /*-comment treatment and break out of the
loop when *q == '\0'.
See #26499.
(cherry picked from commit 49a4dbee56bca3737a26f91ae32b6a6d6cca6f8a)
Commit: f70412d148b20a94f44b8471c74432a86b669714
https://github.com/wxWidgets/wxWidgets/commit/f70412d148b20a94f44b8471c74432a86b669714
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-23 (Sat, 23 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagtga.cpp
M tests/image/image.cpp
Log Message:
-----------
Reject TGA files with non-zero colour map origin
ReadTGA() in src/common/imagtga.cpp allocates the palette buffer as
paletteLength * palEntrySize bytes (palette indices 0..paletteLength-1)
but the loop that fills it writes each entry at index paletteStart + i.
The paletteStart and paletteLength values come straight from the TGA
header (bytes 3-7 of the colour map specification) and aren't bounded
against each other. For any file with paletteStart > 0, the calls to
Palette_SetRGB()/Palette_SetRGBA() write past the end of the buffer:
e.g. paletteStart=100, paletteLength=10, palettebpp=24 allocates 30
bytes but writes at offsets 100..129. The subsequent
image->SetPalette(wxPalette((int) paletteLength, &palette[0], ...))
also reads from index 0 onward, so the rest of the loader was already
implicitly assuming paletteStart == 0.
Add an explicit early-return wxTGA_INVFORMAT in the colour-mapped
branch when paletteStart is non-zero, which is the assumption the
existing code makes anyway.
See #26493.
(cherry picked from commit b2d7c29f299e295637c05c5d6438ddf6eba5528b)
Commit: cb63e1caa07cef38eef5a2922e6a24dd65424552
https://github.com/wxWidgets/wxWidgets/commit/cb63e1caa07cef38eef5a2922e6a24dd65424552
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Stop reading past data end in truncated IFF BODY decode
Fix iff body truncation over-read in wxIFFDecoder::ReadIFF:
wxIFFDecoder::ReadIFF() sets chunkLen = dataend - dataptr on the
truncated BODY path, which is 8 too large because bodyptr lives 8 bytes
after dataptr. The non-RLE decode loop below then reads up to 8 bytes
past the end of databuf; clamp chunkLen to dataend - bodyptr instead.
See #26505.
(cherry picked from commit c8c1ca9bb8d9e7e7335d80c97e39917b39e22b79)
Commit: 86ff82377b8190a1d8bdb7bd100ca9a775e10a5b
https://github.com/wxWidgets/wxWidgets/commit/86ff82377b8190a1d8bdb7bd100ca9a775e10a5b
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/sound.cpp
Log Message:
-----------
Validate data chunk header room in wxSound::LoadWAV()
Don't read beyond the end of the buffer as could happen in case of a
44-byte WAV file with a 0-sized LIST chunk.
See #26506.
(cherry picked from commit 6069ea92b392948e61d1250fc24e192e8c39cea4)
Commit: 9093f4c73d7aa143c4b17d04f15bf4f98f2768f3
https://github.com/wxWidgets/wxWidgets/commit/9093f4c73d7aa143c4b17d04f15bf4f98f2768f3
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M docs/changes.txt
M src/common/zipstrm.cpp
M tests/archive/ziptest.cpp
Log Message:
-----------
Reject too-short ZIP64 extra field in wxZipEntry::LoadExtraInfo()
wxZipEntry::LoadExtraInfo() calls wxZipHeader::Read64() up to three
times on a wxZipHeader of length min(fieldLen, 28). Read64() doesn't
bounds-check m_pos against m_size, so a short ZIP64 extra field returns
uninitialised bytes from the header's 64-byte stack-allocated m_data and
they end up in the entry's m_Size / m_CompressedSize / m_Offset. Reject the
entry when fieldLen is below the requested 64-bit total.
See #26507.
(cherry picked from commit b29393b32796e543db335bfebd5045af2744c0c5)
Commit: 30135386e3fd20b85c17b390871df905cbcc1bd2
https://github.com/wxWidgets/wxWidgets/commit/30135386e3fd20b85c17b390871df905cbcc1bd2
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/webview_ie.cpp
Log Message:
-----------
Fix off-by-one buffer overflow in wxWebViewIE
wcscpy calling wasn't leaving space for the nul terminator
See #26508.
(cherry picked from commit 313fbb08b448b92000e8136bf5f278b968eda888)
Commit: fbec26062b768e1e5ca642621a7c1377c60d6e9e
https://github.com/wxWidgets/wxWidgets/commit/fbec26062b768e1e5ca642621a7c1377c60d6e9e
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/ole/uuid.cpp
Log Message:
-----------
Fix typo in UuidToCForm format string and use bounded wxSnprintf
See #26508.
(cherry picked from commit b6bfeaac4978f08057c12b099224a01907e702bf)
Commit: a76b6c8efed24eb0c22269e868254959f6662ce3
https://github.com/wxWidgets/wxWidgets/commit/a76b6c8efed24eb0c22269e868254959f6662ce3
Author: Blake-Madden <66873089+B...@users.noreply.github.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/msw/textctrl.cpp
Log Message:
-----------
Get charset from CHARFORMAT in wxTextCtrl instead of hardcoding ANSI_CHARSET
See #26508.
(cherry picked from commit b1722286466ffdea9f0f9a5caeb79150f019d398)
Commit: c60dbd15ff19072ea520f47102679e01eaf329f1
https://github.com/wxWidgets/wxWidgets/commit/c60dbd15ff19072ea520f47102679e01eaf329f1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M docs/changes.txt
M src/common/anidecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate ANI frame indices against loaded icon count
The SEQ chunk of an ANI file gives a 32-bit image index per animation
step. These values were stored into wxANIFrameInfo::m_imageIndex
verbatim, without any check against the number of icon chunks actually
loaded into m_images. wxANIDecoder::ConvertToImage() and
GetTransparentColour() then used the value as an index into m_images
directly, so a malformed ANI file could trigger an out-of-bounds vector
access when the file is displayed.
Reject the file in Load() if any of the indices is negative or points
past the end of m_images, and also reject files that produced no icon
chunks at all so the subsequent m_images[0] reference is safe.
See #26492.
(cherry picked from commit a676a0f1f51f5c94036d64df3863664586937aa6)
Commit: d301e9ed5ed834c6c49d543da8c291eb08c9f619
https://github.com/wxWidgets/wxWidgets/commit/d301e9ed5ed834c6c49d543da8c291eb08c9f619
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagbmp.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate 4-bit BMP palette index against number of colors
Fix out-of-bounds read when decoding 4bpp BMP with invalid palette
indices.
See #26511.
(cherry picked from commit b47e2bb3527862397cafc7d200637db2ec0194f8)
Commit: d41256470b96c2f9c63c0c0b9c658c92831c5c53
https://github.com/wxWidgets/wxWidgets/commit/d41256470b96c2f9c63c0c0b9c658c92831c5c53
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-27 (Wed, 27 May 2026)
Changed paths:
M docs/changes.txt
M src/common/strconv.cpp
M tests/mbconv/mbconvtest.cpp
Log Message:
-----------
Fix out-of-bounds table read in wxMBConvUTF7::ToWChar()
In wxMBConvUTF7::ToWChar() the value of the byte after '+' was cast to
"unsigned", which meant that on the platforms with signed bytes values
greater than 0x80 were sign-extended to a ~4GiB index which was (way)
out of bounds for a 256-entry table.
Fix the code by casting to "unsigned char", like the cc lookup just
above already does.
See #26517.
(cherry picked from commit f5c81bc5de564eb2b27414179b7902559dc6a115)
Commit: 1175aa020c6023b9c7030d8793de8c20cdd84c00
https://github.com/wxWidgets/wxWidgets/commit/1175aa020c6023b9c7030d8793de8c20cdd84c00
Author: ryancog <17038122...@users.noreply.github.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M interface/wx/uri.h
Log Message:
-----------
Fix wxURI::IsReference() description
The documentation described the inverse of the name of the
function and what it actually did, fix it to describe the actual
function behaviour.
See #26520.
(cherry picked from commit 41969e24dc95c54f900f1fe9c48ac0771ff29246)
Commit: 3bc57e47369ef9996e91568491dc9c975c984f1c
https://github.com/wxWidgets/wxWidgets/commit/3bc57e47369ef9996e91568491dc9c975c984f1c
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M docs/changes.txt
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix one-byte over-read in IFF decomprle replicate packet
The replicate-run branch reads the packet's data byte after only
checking that one source byte remains, but it consumes two (the control
byte plus the data byte). A BODY ending in a lone replicate control byte
then reads one byte past the input buffer. Require two bytes left,
matching the literal-run check above.
See #26518.
(cherry picked from commit 83d55d0a9027e3798c5444554586b85cfba06015)
Commit: 92bbcac5b71910395522b91306e281558ff095e3
https://github.com/wxWidgets/wxWidgets/commit/92bbcac5b71910395522b91306e281558ff095e3
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M include/wx/translation.h
M src/common/translation.cpp
M version-script.in
Log Message:
-----------
Always define wxMsgCatalog dtor in the library
Objects of this class previously couldn't be used when using shared wx
libraries because their default, compiler-generated, dtor referenced
dtor of wxPluralFormsCalculatorPtr which was not exported from the
library.
Fix this by defining wxMsgCatalog dtor inside the library too.
Commit: 4864782d8714120a8c2e3035080a6d38e4142ee8
https://github.com/wxWidgets/wxWidgets/commit/4864782d8714120a8c2e3035080a6d38e4142ee8
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/translation.cpp
M tests/intl/intltest.cpp
Log Message:
-----------
Fix buffer overflow when loading invalid message catalogs
Avoid integer overflow in message catalog StringAtOfs() bounds check:
StringAtOfs() read ofsString and nLen from the .mo file and checked
ofsString + nLen against the data length, but both are 32-bit so the
sum wraps and a translated entry declaring nLen 0xffffffff passes the
check; FillHash() then scans past the end of the catalog. Compute the
offset as a 64-bit value so the addition can't overflow and result in an
invalid index into the buffer.
Add a test feeding such a catalog through wxMsgCatalog::CreateFromData().
See #26513.
(cherry picked from commit 2647c0806ff1d1caac4056e6760b996d72a409b1)
Commit: f77f70b1098aac8caf1255da59b271897ba52560
https://github.com/wxWidgets/wxWidgets/commit/f77f70b1098aac8caf1255da59b271897ba52560
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix buffer overflow on invalid width in wxXPMDecoder
Fix integer overflow in wxXPMDecoder::ReadData() when computing
width*chars_per_pixel: a header with a (very) large width could result
in wrapping around and result in reasonable but yet invalid value, which
could let the key-reading loop run off the end of the buffer.
Compute the product in 64-bits to avoid the overflow.
See #26519.
(cherry picked from commit 46f928d057a478bf4202f4ee381d74d9a0d7543e)
Commit: 0d53937af2fcce3145f02e6c330c9dacab164c3d
https://github.com/wxWidgets/wxWidgets/commit/0d53937af2fcce3145f02e6c330c9dacab164c3d
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/unix/sound.cpp
Log Message:
-----------
Fix data-size bound check past LIST chunk in wxSound::LoadWAV()
The check compared ul against length minus the fixed offset FMT_INDEX +
uiSize + 16, which equals data_offset + 8 only when no LIST chunk is
present. When a LIST chunk is present data_offset has already been
advanced past it, so a crafted WAV can pass this check with ul larger
than the bytes that actually follow the data-chunk header, and the
OSS/SDL playback paths then read past m_dataWithHeader. Use data_offset
directly so the same constraint holds either way.
See #26525.
(cherry picked from commit 262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d)
Commit: 3c5d06ab39e75490cf4d080eec0472a7b17a46b6
https://github.com/wxWidgets/wxWidgets/commit/3c5d06ab39e75490cf4d080eec0472a7b17a46b6
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M include/wx/buffer.h
M tests/strings/strings.cpp
Log Message:
-----------
Avoid buffer read overflow in wxCharTypeBuffer ctor
Don't assume that the data is always followed by NUL.
See #26527.
(cherry picked from commit cf50020259ebf5f73b00138599f3ad958ae156fe)
Commit: 15b402e625cc9626543e39dfd8c09eb7dfb22c65
https://github.com/wxWidgets/wxWidgets/commit/15b402e625cc9626543e39dfd8c09eb7dfb22c65
Author: Vadim Zeitlin <va...@wxwidgets.org>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Make recently added wxXPMDecoder test case really pass
We need to use memmove() and not strncpy() in wxXPMDecoder code as
nothing guarantees that the source and destination regions don't overlap
and they did overlap, in fact, for the test case added as part of
46f928d057 (Fix buffer overflow on invalid width in wxXPMDecoder,
2026-05-27).
Also make the test itself more explicit by hard-coding the test XPM
instead of constructing it dynamically.
See #26519.
(cherry picked from commit ccff9fe0f3ef3cc812da9b56bd56b5bc3273ddec)
Commit: a1cac3c23f7f271e22902b3cca9df63b1b59feef
https://github.com/wxWidgets/wxWidgets/commit/a1cac3c23f7f271e22902b3cca9df63b1b59feef
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/sckaddr.cpp
Log Message:
-----------
Fix buffer overflow in deepCopyHostent() name copy
This function, which is called by wxGethostby{name,addr}_r() if native
implementations of these functions are not available, could overflow the
input buffer by a byte if the host name was equal to the buffer size.
Fix the check for length, which also makes it consistent with the check
in deepCopyServent() just below.
See #26528.
(cherry picked from commit 7348f005b7f768634d79233a268bf42d7bee5893)
Commit: 9c94b432a2dfa371827d6a05f75642915b39422f
https://github.com/wxWidgets/wxWidgets/commit/9c94b432a2dfa371827d6a05f75642915b39422f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/tarstrm.cpp
M tests/archive/tartest.cpp
Log Message:
-----------
Fix integer overflow in tar extended header bounds check
recSize in wxTarInputStream::ReadExtendedHeader() comes from the
record's decimal byte-count field, so a pax header declaring a length
close to SIZE_MAX makes recPos + recSize wrap below len and pass the
check. The following pRec[recSize - 1] then reads far past the buffer,
which ASAN flags as a heap-buffer-overflow.
Comparing recSize against len - recPos avoids the wrap.
See #26530.
(cherry picked from commit 4cf9de30097c43447bc8e71054ee3212a8f879e3)
Commit: a3b244bd5f556293a4b1e4715ee0fbee6dbb9faf
https://github.com/wxWidgets/wxWidgets/commit/a3b244bd5f556293a4b1e4715ee0fbee6dbb9faf
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/mimecmn.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing % in wxFileType::ExpandCommand()
A command ending in a bare '%' made the loop advance in this function
advance past the end of string.
Fix this by handling only non-trailing '%' specifically
See #26531.
(cherry picked from commit 18582927af8bb7e0f8283f7c4c854db7377d0272)
Commit: bb347b7dc6660e9d2087b00fcf98253e21f66a2f
https://github.com/wxWidgets/wxWidgets/commit/bb347b7dc6660e9d2087b00fcf98253e21f66a2f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate decoded pixel indices in wxGIFDecoder::ConvertToImage()
Avoid reading uninitialized memory if any of the pixels in the input
data reference entries beyond the end of the palette.
See #26521.
(cherry picked from commit 86bc0762efcee173963d8002934d592141a0e1ae)
Commit: 741fdc724274171dcba6c13cd871271bfb039fe4
https://github.com/wxWidgets/wxWidgets/commit/741fdc724274171dcba6c13cd871271bfb039fe4
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/gifdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Avoid writing beyond the buffer end for GIFs with zero size
Reject GIF frames with zero width or height to avoid writing beyond the
(empty) buffer returned by malloc(0).
See #26524.
(cherry picked from commit 830ec3c439ee58f84bb4c214fabe37c5e7d4eaa1)
Commit: 87078e90688839a9f9c9bedb0e1cfdec320b6bd1
https://github.com/wxWidgets/wxWidgets/commit/87078e90688839a9f9c9bedb0e1cfdec320b6bd1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
M docs/changes.txt
M src/common/wxcrt.cpp
M src/common/wxprintf.cpp
M tests/strings/crt.cpp
Log Message:
-----------
Fix buffer overflow in wxVsnprintf() when size==0
Don't write NUL byte to "buf[size - 1]" when size is 0.
This bug was present in both implementations of wxVsnprintf(), so fix it
in both places too.
See #26522.
(cherry picked from commit a3ad8e33602aff06e57a7d3637df546cc07593b0)
Commit: 5093c11308637e3e2a20370960b6e4d10874557f
https://github.com/wxWidgets/wxWidgets/commit/5093c11308637e3e2a20370960b6e4d10874557f
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-06-01 (Mon, 01 Jun 2026)
Changed paths:
M docs/changes.txt
M src/common/regex.cpp
M tests/regex/wxregextest.cpp
Log Message:
-----------
Fix out-of-bounds read on trailing backslash in wxRegEx::Replace()
wxRegExImpl::Replace() scans replacement.c_str() and does *++p after a
backslash. When the replacement ends in a lone backslash, that reads the
terminating NUL, the else branch appends it, and the loop's p++ then
steps one byte past the NUL so the *p condition reads out of bounds.
Keep a trailing backslash verbatim and stop before the increment.
Add a test checking that this doesn't result in ASAN errors any more.
See #26541.
(cherry picked from commit 9b0eb807cd03eb9ba517b8d5371c91d811a7682b)
Compare: https://github.com/wxWidgets/wxWidgets/compare/95bfcbc82c62...5093c1130863
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages