From c336299eb66bf22178ffdb54b02c47afd9f9017e Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 5 Apr 2008 17:28:32 +0000
Subject: [PATCH] don't crash in ReadString() if the length read from the
 stream is too big (bug 1933560)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH@53028 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---
 src/common/datstrm.cpp | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/src/common/datstrm.cpp b/src/common/datstrm.cpp
index 50e4eb4b2e..80ffe0165b 100644
--- a/src/common/datstrm.cpp
+++ b/src/common/datstrm.cpp
@@ -100,25 +100,27 @@ double wxDataInputStream::ReadDouble()
 
 wxString wxDataInputStream::ReadString()
 {
-  size_t len;
-
-  len = Read32();
-
-  if (len > 0)
-  {
-#if wxUSE_UNICODE
-    wxCharBuffer tmp(len + 1);
-    m_input->Read(tmp.data(), len);
-    tmp.data()[len] = '\0';
-    wxString ret(m_conv->cMB2WX(tmp.data()));
-#else
     wxString ret;
-    m_input->Read( wxStringBuffer(ret, len), len);
+
+    const size_t len = Read32();
+    if ( len > 0 )
+    {
+#if wxUSE_UNICODE
+        wxCharBuffer tmp(len + 1);
+        if ( tmp )
+        {
+            m_input->Read(tmp.data(), len);
+            tmp.data()[len] = '\0';
+            ret = m_conv->cMB2WX(tmp.data());
+        }
+#else
+        wxStringBuffer buf(ret, len);
+        if ( buf )
+            m_input->Read(buf, len);
 #endif
+    }
+
     return ret;
-  }
-  else
-    return wxEmptyString;
 }
 
 #if wxUSE_LONGLONG