Rob Shearman : oleaut32: Handle integer overflow of len in SysReAllocStringLen and SysAllocStringByteLen .
Alexandre Julliard
julliard at winehq.org
Wed Nov 28 08:01:39 CST 2007
Module: wine
Branch: master
Commit: 241b25b5bdd470d844afa6ec71de8b3476c832c9
URL: http://source.winehq.org/git/wine.git/?a=commit;h=241b25b5bdd470d844afa6ec71de8b3476c832c9
Author: Rob Shearman <rob at codeweavers.com>
Date: Tue Nov 27 22:43:00 2007 +0000
oleaut32: Handle integer overflow of len in SysReAllocStringLen and SysAllocStringByteLen.
---
dlls/oleaut32/oleaut.c | 8 ++++++++
dlls/oleaut32/tests/vartype.c | 3 +++
2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/dlls/oleaut32/oleaut.c b/dlls/oleaut32/oleaut.c
index f756d83..a677408 100644
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@@ -291,6 +291,10 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
*/
int WINAPI SysReAllocStringLen(BSTR* old, const OLECHAR* str, unsigned int len)
{
+ /* Detect integer overflow. */
+ if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+ return 0;
+
if (*old!=NULL) {
DWORD newbytelen = len*sizeof(WCHAR);
DWORD *ptr = HeapReAlloc(GetProcessHeap(),0,((DWORD*)*old)-1,newbytelen+sizeof(WCHAR)+sizeof(DWORD));
@@ -340,6 +344,10 @@ BSTR WINAPI SysAllocStringByteLen(LPCSTR str, UINT len)
DWORD* newBuffer;
char* stringBuffer;
+ /* Detect integer overflow. */
+ if (len >= (UINT_MAX-sizeof(WCHAR)-sizeof(DWORD)))
+ return NULL;
+
/*
* Allocate a new buffer to hold the string.
* don't forget to keep an empty spot at the beginning of the
diff --git a/dlls/oleaut32/tests/vartype.c b/dlls/oleaut32/tests/vartype.c
index b0335aa..2292036 100644
--- a/dlls/oleaut32/tests/vartype.c
+++ b/dlls/oleaut32/tests/vartype.c
@@ -5068,6 +5068,9 @@ static void test_SysAllocStringByteLen(void)
str = SysAllocStringByteLen(szTestA, 0x80000000);
ok (str == NULL, "Expected NULL, got %p\n", str);
+ str = SysAllocStringByteLen(szTestA, 0xffffffff);
+ ok (str == NULL, "Expected NULL, got %p\n", str);
+
str = SysAllocStringByteLen(NULL, 0);
ok (str != NULL, "Expected non-NULL\n");
if (str)
More information about the wine-cvs
mailing list