From 51791822a1d3d88ad280cbd33b2c78a39c289715 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 20 Sep 2014 22:07:48 +0000
Subject: [PATCH] Avoid integer overflow/wraparound in wxString::Mid().

Don't compare nLength with "nFirst + nCount" as this could wrap around.

Compare nCount with maximal allowed count, after ensuring that nFirst itself
is valid first, instead.

Closes #16572.

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@77749 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---
 src/common/string.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/common/string.cpp b/src/common/string.cpp
index bdc1fdcee9..8b81d86205 100644
--- a/src/common/string.cpp
+++ b/src/common/string.cpp
@@ -1242,17 +1242,17 @@ wxString wxString::Mid(size_t nFirst, size_t nCount) const
     }
 
     // out-of-bounds requests return sensible things
-    if ( nFirst + nCount > nLen )
-    {
-        nCount = nLen - nFirst;
-    }
-
     if ( nFirst > nLen )
     {
         // AllocCopy() will return empty string
         return wxEmptyString;
     }
 
+    if ( nCount > nLen - nFirst )
+    {
+        nCount = nLen - nFirst;
+    }
+
     wxString dest(*this, nFirst, nCount);
     if ( dest.length() != nCount )
     {