gdi32 : Correction of bug 20850 Write buffer overflow in WidenPath()
Laurent Vromman
laurent at vromman.org
Sat Nov 28 19:04:09 CST 2009
---
dlls/gdi32/path.c | 16 ++++++++--------
1 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/dlls/gdi32/path.c b/dlls/gdi32/path.c
index 88b7b0a..b7ceaf2 100644
--- a/dlls/gdi32/path.c
+++ b/dlls/gdi32/path.c
@@ -1906,13 +1906,7 @@ static BOOL PATH_WidenPath(DC *dc)
penWidthOut++;
numStrokes = 0;
-
- pStrokes = HeapAlloc(GetProcessHeap(), 0, numStrokes *
sizeof(GdiPath*));
- pStrokes[0] = HeapAlloc(GetProcessHeap(), 0, sizeof(GdiPath));
- PATH_InitGdiPath(pStrokes[0]);
- pStrokes[0]->pFlags = HeapAlloc(GetProcessHeap(), 0,
pPath->numEntriesUsed * sizeof(INT));
- pStrokes[0]->pPoints = HeapAlloc(GetProcessHeap(), 0,
pPath->numEntriesUsed * sizeof(POINT));
- pStrokes[0]->numEntriesUsed = 0;
+ pStrokes = NULL;
for(i = 0, j = 0; i < pPath->numEntriesUsed; i++, j++) {
POINT point;
@@ -1930,7 +1924,13 @@ static BOOL PATH_WidenPath(DC *dc)
}
numStrokes++;
j = 0;
- pStrokes = HeapReAlloc(GetProcessHeap(), 0, pStrokes,
numStrokes * sizeof(GdiPath*));
+ if(numStrokes == 1) {
+ /* It is the first allocation of pStrokes */
+ pStrokes = HeapAlloc(GetProcessHeap(), 0,
sizeof(GdiPath*));
+ }
+ else {
+ pStrokes = HeapReAlloc(GetProcessHeap(), 0,
pStrokes, numStrokes * sizeof(GdiPath*));
+ }
pStrokes[numStrokes - 1] = HeapAlloc(GetProcessHeap(),
0, sizeof(GdiPath));
PATH_InitGdiPath(pStrokes[numStrokes - 1]);
pStrokes[numStrokes - 1]->state = PATH_Open;
--
1.5.6.5
More information about the wine-patches
mailing list