Dylan Smith : richedit: Prevent buffer overrun for tab stops buffer.

Alexandre Julliard julliard at winehq.org
Fri Sep 12 07:01:45 CDT 2008 

Module: wine
Branch: master
Commit: 2aa69c6c9e083b0033eb8a0a75f860795441630c
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=2aa69c6c9e083b0033eb8a0a75f860795441630c

Author: Dylan Smith <dylan.ah.smith at gmail.com>
Date:   Thu Sep 11 17:25:16 2008 -0400

richedit: Prevent buffer overrun for tab stops buffer.

---

 dlls/riched20/editor.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 1fe23cd..253c7b8 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -843,24 +843,27 @@ void ME_RTFTblAttrHook(RTF_Info *info)
       break;
     }
     case rtfCellPos:
+    {
+      int cellNum;
       if (!info->tableDef)
       {
         info->tableDef = ME_MakeTableDef(info->editor);
       }
-      if (info->tableDef->numCellsDefined >= MAX_TABLE_CELLS)
+      cellNum = info->tableDef->numCellsDefined;
+      if (cellNum >= MAX_TABLE_CELLS)
         break;
-      info->tableDef->cells[info->tableDef->numCellsDefined].rightBoundary = info->rtfParam;
-      {
+      info->tableDef->cells[cellNum].rightBoundary = info->rtfParam;
+      if (cellNum < MAX_TAB_STOPS) {
         /* Tab stops were used to store cell positions before v4.1 but v4.1
          * still seems to set the tabstops without using them. */
         ME_DisplayItem *para = ME_GetParagraph(info->editor->pCursors[0].pRun);
         PARAFORMAT2 *pFmt = para->member.para.pFmt;
-        int cellNum = info->tableDef->numCellsDefined;
         pFmt->rgxTabs[cellNum] &= ~0x00FFFFFF;
         pFmt->rgxTabs[cellNum] = 0x00FFFFFF & info->rtfParam;
       }
       info->tableDef->numCellsDefined++;
       break;
+    }
     case rtfRowBordTop:
       info->borderType = RTFBorderRowTop;
       break;
@@ -1045,7 +1048,7 @@ void ME_RTFSpecialCharHook(RTF_Info *info)
           ME_InsertTextFromCursor(info->editor, 0, &tab, 1, info->style);
           tableDef->numCellsInserted++;
         }
-        pFmt->cTabCount = tableDef->numCellsDefined;
+        pFmt->cTabCount = min(tableDef->numCellsDefined, MAX_TAB_STOPS);
         if (!tableDef->numCellsDefined)
           pFmt->wEffects &= ~PFE_TABLE;
         ME_InsertTextFromCursor(info->editor, 0, &endl, 1, info->style);

More information about the wine-cvs mailing list