From 77df2f30a4014d74f6f03116e79fdf4fa7a0d60b Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Fri, 19 Sep 2014 11:51:48 +0000
Subject: [PATCH] Avoid integer overflow/wraparound in wxString::Mid().

Don't compare nLength with "nFirst + nCount" as this could wrap around.

Compare nCount with maximal allowed count, after ensuring that nFirst itself
is valid first, instead.

Closes #16572.

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_3_0_BRANCH@77725 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---
 src/common/string.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/common/string.cpp b/src/common/string.cpp
index c2b2292b1c..2d30e939ee 100644
--- a/src/common/string.cpp
+++ b/src/common/string.cpp
@@ -1244,17 +1244,17 @@ wxString wxString::Mid(size_t nFirst, size_t nCount) const
     }
 
     // out-of-bounds requests return sensible things
-    if ( nFirst + nCount > nLen )
-    {
-        nCount = nLen - nFirst;
-    }
-
     if ( nFirst > nLen )
     {
         // AllocCopy() will return empty string
         return wxEmptyString;
     }
 
+    if ( nCount > nLen - nFirst )
+    {
+        nCount = nLen - nFirst;
+    }
+
     wxString dest(*this, nFirst, nCount);
     if ( dest.length() != nCount )
     {