[PATCH] wineps.drv: check for GDI_ERROR in LoadTable()
Wolfgang Walter
wine at stwm.de
Fri Nov 9 17:33:30 CST 2018
On Friday, 9 November 2018 18:50:43 CET Nikolay Sivov wrote:
> On 11/9/18 4:21 PM, Wolfgang Walter wrote:
> > if(table->MS_tag == MS_MAKE_TAG('g','d','i','r')) return TRUE;
> > table->len = GetFontData(hdc, table->MS_tag, 0, NULL, 0);
> >
> > + table->check = 0;
> > + if(table->len == GDI_ERROR) {
> > + table->len = 0;
> > + return TRUE;
> > + }
> > + if(table->len > (0xfffffffflu - 3)) {
> > + table->len = 0;
> > + return FALSE;
> > + }
>
> What is the second condition for?
The code which follows is:
table->data = HeapAlloc(GetProcessHeap(), 0, (table->len + 3) & ~3 );
memset(table->data + ((table->len - 1) & ~3), 0, sizeof(DWORD));
GetFontData(hdc, table->MS_tag, 0, table->data, table->len);
for(i = 0; i < (table->len + 3) / 4; i++)
table->check += FLIP_ORDER(*((DWORD*)(table->data) + i));
If table->len (which itself is a DWORD) gets bigger than 0xfffffffflu - 3 it
will overflow in (table->len + 3) and HeapAlloc does not allocate as much
memory as expected.
The whole thing will then be inconsistent and I thought therefor one should no
rely that a) wine will handle that gracefully and b) that there is no such
font embedded in pdfs.
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Recht
More information about the wine-devel
mailing list