From f72aa7b1c96c8bbf745459b488716d6ac58f0a2a Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Fri, 19 Jun 2015 20:31:48 +0200
Subject: [PATCH] Fix reading beyond end of buffer in UTF-16 decoding code.

Verify that incrementing the input pointer doesn't take us outside the buffer.
Still accept a single trailing NUL as the string terminator.
---
 src/common/strconv.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/common/strconv.cpp b/src/common/strconv.cpp
index e1e37822f9..a0898cf23f 100644
--- a/src/common/strconv.cpp
+++ b/src/common/strconv.cpp
@@ -1702,8 +1702,18 @@ wxMBConvUTF16swap::ToWChar(wchar_t *dst, size_t dstLen,
         wxUint16 tmp[2];
 
         tmp[0] = wxUINT16_SWAP_ALWAYS(*inBuff);
-        inBuff++;
-        tmp[1] = wxUINT16_SWAP_ALWAYS(*inBuff);
+        if ( ++inBuff < inEnd )
+        {
+            // Normal case, we have a next character to decode.
+            tmp[1] = wxUINT16_SWAP_ALWAYS(*inBuff);
+        }
+        else // End of input.
+        {
+            // Setting the second character to 0 ensures we correctly return
+            // wxCONV_FAILED if the first one is the first half of a surrogate
+            // as the second half can't be 0 in this case.
+            tmp[1] = 0;
+        }
 
         const size_t numChars = decode_utf16(tmp, ch);
         if ( numChars == wxCONV_FAILED )