Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix reading beyond end of buffer in UTF-16 decoding code.

Browse Source 
Verify that incrementing the input pointer doesn't take us outside the buffer.
Still accept a single trailing NUL as the string terminator.
This commit is contained in:
Vadim Zeitlin
2015-06-19 20:31:48 +02:00
parent 04c4e5f177
commit f72aa7b1c9
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/common/strconv.cpp
View File

@@ -1702,8 +1702,18 @@ wxMBConvUTF16swap::ToWChar(wchar_t *dst, size_t dstLen,
wxUint16 tmp[2]; wxUint16 tmp[2];
tmp[0] = wxUINT16_SWAP_ALWAYS(*inBuff); tmp[0] = wxUINT16_SWAP_ALWAYS(*inBuff);
inBuff++; if ( ++inBuff < inEnd )
tmp[1] = wxUINT16_SWAP_ALWAYS(*inBuff); {
// Normal case, we have a next character to decode.
tmp[1] = wxUINT16_SWAP_ALWAYS(*inBuff);
}
else // End of input.
{
// Setting the second character to 0 ensures we correctly return
// wxCONV_FAILED if the first one is the first half of a surrogate
// as the second half can't be 0 in this case.
tmp[1] = 0;
}
const size_t numChars = decode_utf16(tmp, ch); const size_t numChars = decode_utf16(tmp, ch);
if ( numChars == wxCONV_FAILED ) if ( numChars == wxCONV_FAILED )