From 72c5691d2f318997f9d99eefcfcdce33250cbfa0 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Wed, 21 Jun 2023 16:30:24 +0200
Subject: [PATCH] Fix buffer overrun in wxHTMLDataObject under non-MSW
 platforms

Using strcpy() in GetDataHere() added an extra NUL at the end which
didn't fit into the buffer of the size returned by GetDataSize(). This
could have been also fixed by returning an extra byte from the latter
function, but as the string doesn't need to be NUL-terminated,
apparently, just use memcpy() with the correct number of bytes instead.

Also, because the string is not necessarily NUL-terminated, use the
provided length in wxHTMLDataObject::SetData() instead of relying on the
buffer being NUL-terminated and reading uninitialized memory beyond its
size.

Add a unit test confirming that there are no more ASAN errors when using
this class.

Closes #23660.

Co-Authored-By: mcorino <martin@corino.nl>
---
 tests/misc/guifuncs.cpp | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/misc/guifuncs.cpp b/tests/misc/guifuncs.cpp
index ba4c8d6246..22a736636b 100644
--- a/tests/misc/guifuncs.cpp
+++ b/tests/misc/guifuncs.cpp
@@ -92,6 +92,22 @@ TEST_CASE("GUI::URLDataObject", "[guifuncs][clipboard]")
     CHECK( dobj2.GetURL() == url );
 }
 
+TEST_CASE("GUI::HTMLDataObject", "[guifuncs][clipboard]")
+{
+    const wxString text("<h1>Hello clipboard!</h1>");
+
+    wxHTMLDataObject* const dobj = new wxHTMLDataObject(text);
+    CHECK( dobj->GetHTML() == text );
+
+    wxClipboardLocker lockClip;
+    CHECK( wxTheClipboard->SetData(dobj) );
+    wxTheClipboard->Flush();
+
+    wxHTMLDataObject dobj2;
+    REQUIRE( wxTheClipboard->GetData(dobj2) );
+    CHECK( dobj2.GetHTML() == text );
+}
+
 // This disabled by default test allows to check that we retrieve HTML data
 // from the system clipboard correctly.
 TEST_CASE("GUI::ShowHTML", "[.]")