Buffer overrun in dlls/riched20/editor.c
Juan Lang
juan.lang at gmail.com
Thu Sep 11 15:30:07 CDT 2008
Hi Dylan, commit 11c80396995065701205f2facb3dba10a6f8170f[1]
introduced a buffer overrun in riched20's editor.c. Here's the hunk
that did it:
@@ -666,35 +661,83 @@ static void ME_RTFParAttrHook(RTF_Info *info)
static void ME_RTFTblAttrHook(RTF_Info *info)
{
- ME_DisplayItem *para;
-
switch (info->rtfMinor)
{
case rtfRowDef:
- RTFFlushOutputBuffer(info);
- para = ME_GetParagraph(info->editor->pCursors[0].pRun);
-
- /* Release possibly inherited cell definitions */
- ME_DestroyTableCellList(para);
-
- para->member.para.pCells = ALLOC_OBJ(ME_TableCell);
- para->member.para.pCells->nRightBoundary = 0;
- para->member.para.pCells->next = NULL;
- para->member.para.pLastCell = para->member.para.pCells;
+ if (!info->tableDef)
+ info->tableDef = ALLOC_OBJ(RTFTable);
+ ZeroMemory(info->tableDef, sizeof(RTFTable));
break;
case rtfCellPos:
+ if (!info->tableDef)
+ {
+ info->tableDef = ALLOC_OBJ(RTFTable);
+ ZeroMemory(info->tableDef, sizeof(RTFTable));
+ }
+ if (info->tableDef->numCellsDefined >= MAX_TABLE_CELLS)
+ break;
+ info->tableDef->cells[info->tableDef->numCellsDefined].rightBoundary
= info->rtfParam;
+ {
+ /* Tab stops store the cell positions. */
+ ME_DisplayItem *para = ME_GetParagraph(info->editor->pCursors[0].pRun);
+ PARAFORMAT2 *pFmt = para->member.para.pFmt;
+ int cellNum = info->tableDef->numCellsDefined;
+ pFmt->rgxTabs[cellNum] &= ~0x00FFFFFF;
+ pFmt->rgxTabs[cellNum] = 0x00FFFFFF & info->rtfParam;
The trouble is, numCellsDefined is only guaranteed to be less than
MAX_TABLE_CELLS (defined as 63 in include/richedit.h), while rgxTabs
is of size MAX_TAB_STOPS, or 32.
I'm not sure what the correct fix is. Would you mind having a look?
For what it's worth, this is Coverity id 727.
Thanks,
--Juan
1: http://source.winehq.org/git/wine.git/?a=commit;h=11c80396995065701205f2facb3dba10a6f8170f
More information about the wine-devel
mailing list