From 1bf76ee5945451939894dfb805cee47c9f7d8705 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 22 Aug 2020 23:48:58 +0200
Subject: [PATCH] Add a safety check for the buffer size in wxIDataObject

Avoid size overflow if the offset value is greater than it.
---
 src/msw/ole/dataobj.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/msw/ole/dataobj.cpp b/src/msw/ole/dataobj.cpp
index 5eea992ac7..6dbeae8088 100644
--- a/src/msw/ole/dataobj.cpp
+++ b/src/msw/ole/dataobj.cpp
@@ -745,9 +745,20 @@ STDMETHODIMP wxIDataObject::SetData(FORMATETC *pformatetc,
                     case CF_METAFILEPICT:
                         size = sizeof(METAFILEPICT);
                         break;
+
                     default:
                         size = ptr.GetSize();
-                        size -= m_pDataObject->GetBufferOffset(format);
+
+                        // Account for the possible offset.
+                        const size_t
+                            ofs = m_pDataObject->GetBufferOffset(format);
+
+                        // Check that it has a reasonable value to avoid
+                        // overflow.
+                        if ( ofs > size )
+                            return E_UNEXPECTED;
+
+                        size -= ofs;
                 }
 
                 if ( !m_pDataObject->SetData(format, size, ptr.Get()) )