ddraw: Better validation of IDirectDrawSurface::BltFast parameters (2nd try)
Iain Arnell
iarnell at gmail.com
Sat Jun 19 02:02:08 CDT 2010
fixes #23238 - Repton 3: crashes when viewing map.
---
dlls/ddraw/surface.c | 6 ++++++
dlls/ddraw/tests/dsurface.c | 4 ++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/dlls/ddraw/surface.c b/dlls/ddraw/surface.c
index bfe83a4..0e28433 100644
--- a/dlls/ddraw/surface.c
+++ b/dlls/ddraw/surface.c
@@ -2080,6 +2080,12 @@ IDirectDrawSurfaceImpl_BltFast(IDirectDrawSurface7 *iface,
HRESULT hr;
TRACE("(%p)->(%d,%d,%p,%p,%d): Relay\n", This, dstx, dsty, Source, rsrc, trans);
+ /* Ensure that we've not been given negative signed ints */
+ if( (dstx | dsty) > (MAXDWORD >> 1) ) {
+ WARN("Application gave us negative offset for BltFast\n");
+ return DDERR_INVALIDRECT;
+ }
+
/* Source must be != NULL, This is not checked by windows. Windows happily throws a 0xc0000005
* in that case
*/
diff --git a/dlls/ddraw/tests/dsurface.c b/dlls/ddraw/tests/dsurface.c
index bfd5eae..92dcb65 100644
--- a/dlls/ddraw/tests/dsurface.c
+++ b/dlls/ddraw/tests/dsurface.c
@@ -2537,6 +2537,10 @@ static void BltParamTest(void)
ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
hr = IDirectDrawSurface_BltFast(surface1, 90, 90, surface2, NULL, 0);
ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+ hr = IDirectDrawSurface_BltFast(surface1, -10, 0, surface2, NULL, 0);
+ ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+ hr = IDirectDrawSurface_BltFast(surface1, 0, -10, surface2, NULL, 0);
+ ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid1, 0);
ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 1 returned %08x\n", hr);
hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid2, 0);
--
1.7.0.1
More information about the wine-patches
mailing list