From 0c223a81467da68fe874657cafad9c304275a33f Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sun, 24 May 2015 01:23:46 +0200
Subject: [PATCH] Fix buffer overrun in wxPrintf() format parsing code.

Parsing a format specifier with an asterisk (e.g. "%.*s") for the 64th
argument of wxPrintf() resulted in a buffer overrun as the check for the
maximal number of arguments didn't break out from the right loop.

Fix this by inserting an extra check for this.

Thanks Coverity for finding this one.
---
 include/wx/private/wxprintf.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/wx/private/wxprintf.h b/include/wx/private/wxprintf.h
index 00013c193a..7e658b9013 100644
--- a/include/wx/private/wxprintf.h
+++ b/include/wx/private/wxprintf.h
@@ -870,6 +870,11 @@ struct wxPrintfConvSpecParser
 
                     spec = &specs[nargs];
                 }
+
+                // If we hit the maximal number of arguments inside the inner
+                // loop, break out of the outer one as well.
+                if ( nargs == wxMAX_SVNPRINTF_ARGUMENTS )
+                    break;
             }