[Bug 33457] New: Will the multiplication suffers from integer overflow @line 268?
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Apr 25 06:48:39 CDT 2013
http://bugs.winehq.org/show_bug.cgi?id=33457
Bug #: 33457
Summary: Will the multiplication suffers from integer overflow
@line 268?
Product: Wine
Version: unspecified
Platform: x86
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: comctl32
AssignedTo: wine-bugs at winehq.org
ReportedBy: sunxs at is.iscas.ac.cn
Classification: Unclassified
We notice that the multiplication at line 268 may overflow in some condition,
and is not checked.
We think it is necessary to check it as the DSA_InsertItem is an exported
function. It is not guaranteed that all the parameters will be in the valid
range.
The related codes are shown below.
Xiaoshan Sun
TCA, ISCAS
============== related source codes ========================================
Implemented in "dlls/comctl32/dsa.c".
source.winehq.org/source/dlls/comctl32/dsa.c
251 INT WINAPI DSA_InsertItem (const HDSA hdsa, INT nIndex, LPVOID pSrc)
252 {
253 INT nNewItems, nSize;
254 LPVOID lpTemp, lpDest;
255
256 TRACE("(%p %d %p)\n", hdsa, nIndex, pSrc);
257
258 if ((!hdsa) || nIndex < 0)
259 return -1;
260
261 /* when nIndex >= nItemCount then append */
262 if (nIndex >= hdsa->nItemCount)
263 nIndex = hdsa->nItemCount;
264
265 /* do we need to resize ? */
266 if (hdsa->nItemCount >= hdsa->nMaxCount) {
267 nNewItems = hdsa->nMaxCount + hdsa->nGrow;
268 nSize = hdsa->nItemSize * nNewItems;
// if ( nSize/nNewItems != hdsa->nItemSize){ overflow detected;}
269
270 lpTemp = ReAlloc (hdsa->pData, nSize);
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list