PATCH: fix out of range array access in dlls/kernel32/relay16.c

Gerald Pfeifer gerald at pfeifer.com
Sat Oct 6 18:29:34 CDT 2007


On Wed, 3 Oct 2007, Alexandre Julliard wrote:
> This can't happen. If there's no ret instruction in the entry point
> we'll have much bigger problems than an out of range access...

Fair point, I guess you're right.  How about the following patch then?

Gerald

Index: relay16.c
===================================================================
RCS file: /home/wine/wine/dlls/kernel32/relay16.c,v
retrieving revision 1.5
diff -u -3 -p -r1.5 relay16.c
--- relay16.c	30 Aug 2007 11:21:56 -0000	1.5
+++ relay16.c	6 Oct 2007 23:28:29 -0000
@@ -320,7 +320,9 @@ static int relay_call_from_16_no_debug( 
     for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
         if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
 
-    if (call->ret[j] == 0xcb66)  /* cdecl */
+    if( j >= sizeof(call->ret)/sizeof(call->ret[0]) )
+        ERR("failed to find ret instruction in entry point");
+    else if (call->ret[j] == 0xcb66)  /* cdecl */
     {
         for (i = 0; i < 20; i++, nb_args++)
         {
@@ -424,7 +426,9 @@ int relay_call_from_16( void *entry_poin
     for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
         if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
 
-    if (call->ret[j] == 0xcb66)  /* cdecl */
+    if( j >= sizeof(call->ret)/sizeof(call->ret[0]) )
+        ERR("failed to find ret instruction in entry point");
+    else if (call->ret[j] == 0xcb66)  /* cdecl */
     {
         for (i = 0; i < 20; i++, nb_args++)
         {



More information about the wine-devel mailing list