From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 5 Apr 2008 17:28:32 +0000 (+0000)
Subject: don't crash in ReadString() if the length read from the stream is too big (bug 1933560)
X-Git-Url: https://git.saurik.com/wxWidgets.git/commitdiff_plain/0094bc4c410493752777bdb104571d449b1be4b3

don't crash in ReadString() if the length read from the stream is too big (bug 1933560)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@53028 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---

diff --git a/src/common/datstrm.cpp b/src/common/datstrm.cpp
index 40e10fe09c..d568c6d7c0 100644
--- a/src/common/datstrm.cpp
+++ b/src/common/datstrm.cpp
@@ -100,25 +100,27 @@ double wxDataInputStream::ReadDouble()
 
 wxString wxDataInputStream::ReadString()
 {
-  size_t len;
-
-  len = Read32();
+    wxString ret;
 
-  if (len > 0)
-  {
+    const size_t len = Read32();
+    if ( len > 0 )
+    {
 #if wxUSE_UNICODE
-    wxCharBuffer tmp(len + 1);
-    m_input->Read(tmp.data(), len);
-    tmp.data()[len] = '\0';
-    wxString ret(m_conv->cMB2WX(tmp.data()));
+        wxCharBuffer tmp(len + 1);
+        if ( tmp )
+        {
+            m_input->Read(tmp.data(), len);
+            tmp.data()[len] = '\0';
+            ret = m_conv->cMB2WX(tmp.data());
+        }
 #else
-    wxString ret;
-    m_input->Read( wxStringBuffer(ret, len), len);
+        wxStringBuffer buf(ret, len);
+        if ( buf )
+            m_input->Read(buf, len);
 #endif
+    }
+
     return ret;
-  }
-  else
-    return wxEmptyString;
 }
 
 #if wxUSE_LONGLONG