fix rowspan/colspan integer overflow in wxHtmlTableCell::AddCell (PR #26554)
Javid Khan
AddCell() reads COLSPAN and ROWSPAN from the markup into ints with no upper bound, then uses r + rowspan and c + colspan to grow the cell table and to index ypos[] in Layout(). A value near INT_MAX, e.g. in the second row, overflows the addition so the r + rowspan > m_NumRows growth check is bypassed and Layout() writes past the end of ypos[]. Clamp colspan and rowspan to the limits from the HTML spec (1000 and 65534).
You can view, comment on, or merge this pull request online at:
https://github.com/wxWidgets/wxWidgets/pull/26554
Commit Summary
- 9601e08 fix rowspan/colspan integer overflow in wxHtmlTableCell::AddCell
File Changes
(1 file)
- M src/html/m_tables.cpp (9)
Patch Links:
- https://github.com/wxWidgets/wxWidgets/pull/26554.patch
- https://github.com/wxWidgets/wxWidgets/pull/26554.diff
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.
VZ
vadz left a comment (wxWidgets/wxWidgets#26554)Thanks for fixing this!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.
VZ
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.