Rob Shearman : kernel32:
Protect global alloc functions against integer overflows on the size
parameter .
Alexandre Julliard
julliard at wine.codeweavers.com
Mon Dec 18 05:34:34 CST 2006
Module: wine
Branch: master
Commit: c3b4fe391986737c1c41f33d1e5f9937388f7c9b
URL: http://source.winehq.org/git/wine.git/?a=commit;h=c3b4fe391986737c1c41f33d1e5f9937388f7c9b
Author: Rob Shearman <rob at codeweavers.com>
Date: Sun Dec 17 23:47:06 2006 +0000
kernel32: Protect global alloc functions against integer overflows on the size parameter.
---
dlls/kernel32/heap.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/dlls/kernel32/heap.c b/dlls/kernel32/heap.c
index 5d7f61c..44545cd 100644
--- a/dlls/kernel32/heap.c
+++ b/dlls/kernel32/heap.c
@@ -365,6 +365,12 @@ HGLOBAL WINAPI GlobalAlloc(
}
else /* HANDLE */
{
+ if (size > INT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ return 0;
+ }
+
RtlLockHeap(GetProcessHeap());
pintern = HeapAlloc(GetProcessHeap(), 0, sizeof(GLOBAL32_INTERN));
@@ -658,7 +664,12 @@ HGLOBAL WINAPI GlobalReAlloc(
hnew=hmem;
if(pintern->Pointer)
{
- if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
+ if(size > INT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ hnew = 0;
+ }
+ else if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
(char *) pintern->Pointer-HGLOBAL_STORAGE,
size+HGLOBAL_STORAGE)) == NULL)
hnew = 0; /* Block still valid */
@@ -667,7 +678,12 @@ HGLOBAL WINAPI GlobalReAlloc(
}
else
{
- if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
+ if(size > INT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ hnew = 0;
+ }
+ else if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
== NULL)
hnew = 0;
else
More information about the wine-cvs
mailing list