From f10487f060981efe67c1d34d8edcbac5825c0fa9 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Wed, 2 May 2018 22:30:58 +0200
Subject: [PATCH] Fix buffer overflow in wxMSW stack walking code

VarSizedStruct buffer had a too small size in Unicode build as it forgot
to multiply the name length by sizeof(TCHAR), resulting in overwriting
memory on the stack after it when calling SymFromAddrW().

Closes #18127.
---
 docs/changes.txt     | 1 +
 src/msw/debughlp.cpp | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/changes.txt b/docs/changes.txt
index 973a1fb904..85e04f4c9b 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -90,6 +90,7 @@ wxMSW:
 - Fix hang after clearing wxTAB_TRAVERSAL style on a window with children.
 - Fix handling of AUX2 mouse button events (Trylz).
 - Fix saving/restoring window position for maximized windows.
+- Fix stack corruption when using wxStackWalker (srfisk).
 
 
 3.1.1: (released 2018-02-19)
diff --git a/src/msw/debughlp.cpp b/src/msw/debughlp.cpp
index a04fa47835..7aecd7f032 100644
--- a/src/msw/debughlp.cpp
+++ b/src/msw/debughlp.cpp
@@ -66,7 +66,7 @@ class VarSizedStruct
 public:
     VarSizedStruct()
     {
-        ::ZeroMemory(m_buffer, sizeof(T) + MAX_NAME_LEN);
+        ::ZeroMemory(m_buffer, sizeof(T) + MAX_NAME_LEN*sizeof(TCHAR));
 
         (*this)->SizeOfStruct = sizeof(T);
         (*this)->MaxNameLen = MAX_NAME_LEN;
@@ -87,7 +87,7 @@ private:
     // if we wanted.
     enum { MAX_NAME_LEN = 1024 };
 
-    BYTE m_buffer[sizeof(T) + MAX_NAME_LEN];
+    BYTE m_buffer[sizeof(T) + MAX_NAME_LEN*sizeof(TCHAR)];
 };
 
 } // anonymous namespace