From 666ff421bb19d7ed453477d66ac580de017b13ba Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Thu, 9 Nov 2017 21:56:07 +0100
Subject: [PATCH] Fix an out of bounds read in UTF-7 decoding code

Calling wxMBConvUTF7::ToWChar(..., "+", 1) resulted in reading
uninitialized memory as the decoding code didn't check that there were
any bytes left when switching to the "shifted" mode.

Fix this by explicitly checking for this and returning an error if
nothing is left.
---
 src/common/strconv.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/common/strconv.cpp b/src/common/strconv.cpp
index 11d1adbc54..51808a3078 100644
--- a/src/common/strconv.cpp
+++ b/src/common/strconv.cpp
@@ -699,6 +699,10 @@ size_t wxMBConvUTF7::ToWChar(wchar_t *dst, size_t dstLen,
             // start of an encoded segment?
             if ( cc == '+' )
             {
+                // Can't end with a plus sign.
+                if ( src == srcEnd )
+                    return wxCONV_FAILED;
+
                 if ( *src == '-' )
                 {
                     // just the encoded plus sign, don't switch to shifted mode