[wxWidgets/wxWidgets] 41969e: Fix wxURI::IsReference() description
0 views
Skip to first unread message
Javid Khan
May 30, 2026, 11:55:39 AM (12 days ago) May 30
to wx-co...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/wxWidgets/wxWidgets
Commit: 41969e24dc95c54f900f1fe9c48ac0771ff29246
https://github.com/wxWidgets/wxWidgets/commit/41969e24dc95c54f900f1fe9c48ac0771ff29246
Author: ryancog <17038122...@users.noreply.github.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M interface/wx/uri.h
Log Message:
-----------
Fix wxURI::IsReference() description
The documentation described the inverse of the name of the
function and what it actually did, fix it to describe the actual
function behaviour.
Closes #26520.
Commit: 83d55d0a9027e3798c5444554586b85cfba06015
https://github.com/wxWidgets/wxWidgets/commit/83d55d0a9027e3798c5444554586b85cfba06015
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix one-byte over-read in IFF decomprle replicate packet
The replicate-run branch reads the packet's data byte after only
checking that one source byte remains, but it consumes two (the control
byte plus the data byte). A BODY ending in a lone replicate control byte
then reads one byte past the input buffer. Require two bytes left,
matching the literal-run check above.
Closes #26518.
Commit: 2647c0806ff1d1caac4056e6760b996d72a409b1
https://github.com/wxWidgets/wxWidgets/commit/2647c0806ff1d1caac4056e6760b996d72a409b1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/translation.cpp
M tests/intl/intltest.cpp
Log Message:
-----------
Fix buffer overflow when loading invalid message catalogs
Avoid integer overflow in message catalog StringAtOfs() bounds check:
StringAtOfs() read ofsString and nLen from the .mo file and checked
ofsString + nLen against the data length, but both are 32-bit so the
sum wraps and a translated entry declaring nLen 0xffffffff passes the
check; FillHash() then scans past the end of the catalog. Compute the
offset as a 64-bit value so the addition can't overflow and result in an
invalid index into the buffer.
Add a test feeding such a catalog through wxMsgCatalog::CreateFromData().
Closes #26513.
Commit: 46f928d057a478bf4202f4ee381d74d9a0d7543e
https://github.com/wxWidgets/wxWidgets/commit/46f928d057a478bf4202f4ee381d74d9a0d7543e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix buffer overflow on invalid width in wxXPMDecoder
Fix integer overflow in wxXPMDecoder::ReadData() when computing
width*chars_per_pixel: a header with a (very) large width could result
in wrapping around and result in reasonable but yet invalid value, which
could let the key-reading loop run off the end of the buffer.
Compute the product in 64-bits to avoid the overflow.
Closes #26519.
Commit: 262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d
https://github.com/wxWidgets/wxWidgets/commit/262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/unix/sound.cpp
Log Message:
-----------
Fix data-size bound check past LIST chunk in wxSound::LoadWAV()
The check compared ul against length minus the fixed offset FMT_INDEX +
uiSize + 16, which equals data_offset + 8 only when no LIST chunk is
present. When a LIST chunk is present data_offset has already been
advanced past it, so a crafted WAV can pass this check with ul larger
than the bytes that actually follow the data-chunk header, and the
OSS/SDL playback paths then read past m_dataWithHeader. Use data_offset
directly so the same constraint holds either way.
Closes #26525.
Compare: https://github.com/wxWidgets/wxWidgets/compare/eedc16bc89a8...262cec29155e
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: 41969e24dc95c54f900f1fe9c48ac0771ff29246
https://github.com/wxWidgets/wxWidgets/commit/41969e24dc95c54f900f1fe9c48ac0771ff29246
Author: ryancog <17038122...@users.noreply.github.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M interface/wx/uri.h
Log Message:
-----------
Fix wxURI::IsReference() description
The documentation described the inverse of the name of the
function and what it actually did, fix it to describe the actual
function behaviour.
Closes #26520.
Commit: 83d55d0a9027e3798c5444554586b85cfba06015
https://github.com/wxWidgets/wxWidgets/commit/83d55d0a9027e3798c5444554586b85cfba06015
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/imagiff.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix one-byte over-read in IFF decomprle replicate packet
The replicate-run branch reads the packet's data byte after only
checking that one source byte remains, but it consumes two (the control
byte plus the data byte). A BODY ending in a lone replicate control byte
then reads one byte past the input buffer. Require two bytes left,
matching the literal-run check above.
Closes #26518.
Commit: 2647c0806ff1d1caac4056e6760b996d72a409b1
https://github.com/wxWidgets/wxWidgets/commit/2647c0806ff1d1caac4056e6760b996d72a409b1
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/translation.cpp
M tests/intl/intltest.cpp
Log Message:
-----------
Fix buffer overflow when loading invalid message catalogs
Avoid integer overflow in message catalog StringAtOfs() bounds check:
StringAtOfs() read ofsString and nLen from the .mo file and checked
ofsString + nLen against the data length, but both are 32-bit so the
sum wraps and a translated entry declaring nLen 0xffffffff passes the
check; FillHash() then scans past the end of the catalog. Compute the
offset as a 64-bit value so the addition can't overflow and result in an
invalid index into the buffer.
Add a test feeding such a catalog through wxMsgCatalog::CreateFromData().
Closes #26513.
Commit: 46f928d057a478bf4202f4ee381d74d9a0d7543e
https://github.com/wxWidgets/wxWidgets/commit/46f928d057a478bf4202f4ee381d74d9a0d7543e
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/common/xpmdecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Fix buffer overflow on invalid width in wxXPMDecoder
Fix integer overflow in wxXPMDecoder::ReadData() when computing
width*chars_per_pixel: a header with a (very) large width could result
in wrapping around and result in reasonable but yet invalid value, which
could let the key-reading loop run off the end of the buffer.
Compute the product in 64-bits to avoid the overflow.
Closes #26519.
Commit: 262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d
https://github.com/wxWidgets/wxWidgets/commit/262cec29155eca7ff9a6fd2e1d7d7cfd4912fa0d
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
M src/unix/sound.cpp
Log Message:
-----------
Fix data-size bound check past LIST chunk in wxSound::LoadWAV()
The check compared ul against length minus the fixed offset FMT_INDEX +
uiSize + 16, which equals data_offset + 8 only when no LIST chunk is
present. When a LIST chunk is present data_offset has already been
advanced past it, so a crafted WAV can pass this check with ul larger
than the bytes that actually follow the data-chunk header, and the
OSS/SDL playback paths then read past m_dataWithHeader. Use data_offset
directly so the same constraint holds either way.
Closes #26525.
Compare: https://github.com/wxWidgets/wxWidgets/compare/eedc16bc89a8...262cec29155e
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages