[PATCH] shell32: handle malformed PIDLs with dataptr NULL but size non-0 (Coverity)
Marcus Meissner
marcus at jet.franken.de
Sat Oct 17 06:09:12 CDT 2009
Hi,
Could happen due to malicious pidls sent in.
Ciao, Marcus
---
dlls/shell32/debughlp.c | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/dlls/shell32/debughlp.c b/dlls/shell32/debughlp.c
index 98d7899..801a2db 100644
--- a/dlls/shell32/debughlp.c
+++ b/dlls/shell32/debughlp.c
@@ -347,13 +347,18 @@ static void dump_pidl_hex( LPCITEMIDLIST pidl )
BOOL pcheck( LPCITEMIDLIST pidl )
{
- DWORD type;
LPCITEMIDLIST pidltemp = pidl;
while( pidltemp && pidltemp->mkid.cb )
{
- type = _dbg_ILGetDataPointer(pidltemp)->type;
- switch( type )
+ LPPIDLDATA pidldata = _dbg_ILGetDataPointer(pidltemp);
+
+ if (!pidldata) {
+ ERR("malformed IDLIST %p [%p] with data NULL but mkid.cb %u\n",
+ pidl, pidltemp, pidltemp->mkid.cb );
+ return FALSE;
+ }
+ switch( pidldata->type )
{
case PT_CPLAPPLET:
case PT_GUID:
@@ -377,7 +382,7 @@ BOOL pcheck( LPCITEMIDLIST pidl )
break;
default:
ERR("unknown IDLIST %p [%p] size=%u type=%x\n",
- pidl, pidltemp, pidltemp->mkid.cb,type );
+ pidl, pidltemp, pidltemp->mkid.cb, pidldata->type );
dump_pidl_hex( pidltemp );
return FALSE;
}
--
1.5.6
More information about the wine-patches
mailing list