fix out-of-bounds read on trailing backslash in wxRegExImpl::Replace (PR #26541)

16 views
Skip to first unread message

Javid Khan

unread,
Jun 1, 2026, 12:04:09 AM (3 days ago) Jun 1
to wx-...@googlegroups.com, Subscribed

wxRegExImpl::Replace() scans replacement.c_str() and does *++p after a backslash. When the replacement ends in a lone backslash, that reads the terminating NUL, the else branch appends it, and the loop's p++ then steps one byte past the NUL so the *p condition reads out of bounds (ASan: heap-buffer-overflow read, 1 byte past the buffer; if the byte is non-zero it keeps scanning and copies adjacent memory into the result). Reachable through the public Replace()/ReplaceAll(). Keep a trailing backslash verbatim and stop before the increment. Test added in tests/regex/wxregextest.cpp.

You can view, comment on, or merge this pull request online at:

  https://github.com/wxWidgets/wxWidgets/pull/26541

Commit Summary

  • 03c2f3e fix out-of-bounds read on trailing backslash in wxRegExImpl::Replace

File Changes

(2 files)

Patch Links:


Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.Message ID: <wxWidgets/wxWidgets/pull/26541@github.com>

VZ

unread,
Jun 1, 2026, 8:09:44 AM (2 days ago) Jun 1
to wx-...@googlegroups.com, Subscribed
vadz left a comment (wxWidgets/wxWidgets#26541)

Thanks for finding and fixing this one, will merge soon.


Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!

You are receiving this because you are subscribed to this thread.Message ID: <wxWidgets/wxWidgets/pull/26541/c4592433584@github.com>

VZ

unread,
Jun 1, 2026, 8:13:16 AM (2 days ago) Jun 1
to wx-...@googlegroups.com, Subscribed

Closed #26541 via 9b0eb80.


Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!

You are receiving this because you are subscribed to this thread.Message ID: <wxWidgets/wxWidgets/pull/26541/issue_event/26186406578@github.com>

Reply all
Reply to author
Forward
0 new messages