Fix buffer overrun in wxPrintf() format parsing code.

Parsing a format specifier with an asterisk (e.g. "%.*s") for the 64th argument of wxPrintf() resulted in a buffer overrun as the check for the maximal number of arguments didn't break out from the right loop. Fix this by inserting an extra check for this. Thanks Coverity for finding this one.
2015-05-24 01:23:46 +02:00 · 2015-05-24 01:23:46 +02:00 · 0c223a8146
commit 0c223a8146
parent d6406db6ed
1 changed files with 5 additions and 0 deletions
--- a/include/wx/private/wxprintf.h
+++ b/include/wx/private/wxprintf.h
@ -870,6 +870,11 @@ struct wxPrintfConvSpecParser

                    spec = &specs[nargs];
                }
+
+                // If we hit the maximal number of arguments inside the inner
+                // loop, break out of the outer one as well.
+                if ( nargs == wxMAX_SVNPRINTF_ARGUMENTS )
+                    break;
            }