kernel32: Protect global alloc functions against integer overflows
on the size parameter.
Robert Shearman
rob at codeweavers.com
Sun Dec 17 17:47:06 CST 2006
---
dlls/kernel32/heap.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
-------------- next part --------------
diff --git a/dlls/kernel32/heap.c b/dlls/kernel32/heap.c
index 5d7f61c..1efd0cf 100644
--- a/dlls/kernel32/heap.c
+++ b/dlls/kernel32/heap.c
@@ -365,6 +365,12 @@ HGLOBAL WINAPI GlobalAlloc(
}
else /* HANDLE */
{
+ if (size > UINT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ return 0;
+ }
+
RtlLockHeap(GetProcessHeap());
pintern = HeapAlloc(GetProcessHeap(), 0, sizeof(GLOBAL32_INTERN));
@@ -658,7 +664,12 @@ #endif
hnew=hmem;
if(pintern->Pointer)
{
- if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
+ if(size > UINT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ hnew = 0;
+ }
+ else if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
(char *) pintern->Pointer-HGLOBAL_STORAGE,
size+HGLOBAL_STORAGE)) == NULL)
hnew = 0; /* Block still valid */
@@ -667,7 +678,12 @@ #endif
}
else
{
- if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
+ if(size > UINT_MAX-HGLOBAL_STORAGE)
+ {
+ SetLastError(ERROR_OUTOFMEMORY);
+ hnew = 0;
+ }
+ else if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
== NULL)
hnew = 0;
else
More information about the wine-patches
mailing list