Marcus Meissner : oleaut32:
Protect against integer overflow in SysAllocStringLen.
Alexandre Julliard
julliard at wine.codeweavers.com
Fri Nov 24 06:19:40 CST 2006
Module: wine
Branch: master
Commit: caa301a73670d49a4553faab165d65f44c315693
URL: http://source.winehq.org/git/wine.git/?a=commit;h=caa301a73670d49a4553faab165d65f44c315693
Author: Marcus Meissner <marcus at jet.franken.de>
Date: Fri Nov 24 08:45:57 2006 +0100
oleaut32: Protect against integer overflow in SysAllocStringLen.
---
dlls/oleaut32/oleaut.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/dlls/oleaut32/oleaut.c b/dlls/oleaut32/oleaut.c
index 8ffdc72..d6a08a9 100644
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@@ -20,6 +20,7 @@
#include <stdarg.h>
#include <string.h>
+#include <limits.h>
#define COBJMACROS
@@ -217,6 +218,9 @@ BSTR WINAPI SysAllocStringLen(const OLEC
DWORD* newBuffer;
WCHAR* stringBuffer;
+ /* Detect integer overflow. */
+ if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+ return NULL;
/*
* Find the length of the buffer passed-in, in bytes.
*/
@@ -234,8 +238,8 @@ BSTR WINAPI SysAllocStringLen(const OLEC
/*
* If the memory allocation failed, return a null pointer.
*/
- if (newBuffer==0)
- return 0;
+ if (!newBuffer)
+ return NULL;
/*
* Copy the length of the string in the placeholder.
More information about the wine-cvs
mailing list