reject out-of-range parent index in LoadCachedBook (PR #26577)
Javid Khan
LoadCachedBook reads each index entry's parent back-reference straight from the .cached file and uses it as m_index[m_index.size() - parentShift] with no check, so a crafted cached file (which can sit inside a .htb help archive opened through AddBook) makes the subtraction wrap and leaves the parent pointer outside the array; that pointer is later dereferenced when the index is sorted at the end of AddBookParam. The change rejects the file when parentShift is negative or larger than the number of index entries loaded so far, matching the existing version and flags checks just above. There's a small test under tests/html that feeds such a cached stream and confirms it is now refused rather than reading out of bounds.
You can view, comment on, or merge this pull request online at:
https://github.com/wxWidgets/wxWidgets/pull/26577
Commit Summary
- 1202ac7 reject out-of-range parent index in cached help book
File Changes
(5 files)
- M build/cmake/tests/gui/CMakeLists.txt (1)
- M src/html/helpdata.cpp (9)
- M tests/Makefile.in (4)
- A tests/html/helpdata.cpp (81)
- M tests/test.bkl (1)
Patch Links:
- https://github.com/wxWidgets/wxWidgets/pull/26577.patch
- https://github.com/wxWidgets/wxWidgets/pull/26577.diff
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.
VZ
vadz left a comment (wxWidgets/wxWidgets#26577)Nice find, thanks, will merge soon.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.