[2/2] d3dxof: Avoid overflowing temp buffers for large tokens.
Dylan Smith
dylan.ah.smith at gmail.com
Wed Apr 20 15:20:11 CDT 2011
I tested using large tokens with native d3dxof. Name and string tokens
were silently truncated to 511 bytes, and floats and integers crashed
after more than 512 bytes (i.e. using multiple 0 prefixes to pad the
number).
---
dlls/d3dxof/parsing.c | 36 ++++++++++++++++++++++--------------
1 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/dlls/d3dxof/parsing.c b/dlls/d3dxof/parsing.c
index 038486a..34801ac 100644
--- a/dlls/d3dxof/parsing.c
+++ b/dlls/d3dxof/parsing.c
@@ -340,7 +340,7 @@ static BOOL is_guid(parse_buffer* buf)
if (buf->rem_bytes < 38 || *buf->buffer != '<')
return FALSE;
tmp[0] = '<';
- while (*(buf->buffer+pos) != '>')
+ while (pos < sizeof(tmp) - 2 && *(buf->buffer+pos) != '>')
{
tmp[pos] = *(buf->buffer+pos);
pos++;
@@ -381,7 +381,7 @@ static BOOL is_guid(parse_buffer* buf)
static BOOL is_name(parse_buffer* buf)
{
- char tmp[50];
+ char tmp[512];
DWORD pos = 0;
char c;
BOOL error = 0;
@@ -389,9 +389,11 @@ static BOOL is_name(parse_buffer* buf)
{
if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || ((c >= '0') && (c <= '9')) || (c == '_') || (c == '-')))
error = 1;
- tmp[pos++] = c;
+ if (pos < sizeof(tmp))
+ tmp[pos] = c;
+ pos++;
}
- tmp[pos] = 0;
+ tmp[min(pos, sizeof(tmp) - 1)] = 0;
if (error)
{
@@ -410,7 +412,7 @@ static BOOL is_name(parse_buffer* buf)
static BOOL is_float(parse_buffer* buf)
{
- char tmp[50];
+ char tmp[512];
DWORD pos = 0;
char c;
float decimal;
@@ -422,9 +424,11 @@ static BOOL is_float(parse_buffer* buf)
return FALSE;
if (c == '.')
dot = TRUE;
- tmp[pos++] = c;
+ if (pos < sizeof(tmp))
+ tmp[pos] = c;
+ pos++;
}
- tmp[pos] = 0;
+ tmp[min(pos, sizeof(tmp) - 1)] = 0;
buf->buffer += pos;
buf->rem_bytes -= pos;
@@ -440,7 +444,7 @@ static BOOL is_float(parse_buffer* buf)
static BOOL is_integer(parse_buffer* buf)
{
- char tmp[50];
+ char tmp[512];
DWORD pos = 0;
char c;
DWORD integer;
@@ -449,9 +453,11 @@ static BOOL is_integer(parse_buffer* buf)
{
if (!((c >= '0') && (c <= '9')))
return FALSE;
- tmp[pos++] = c;
+ if (pos < sizeof(tmp))
+ tmp[pos] = c;
+ pos++;
}
- tmp[pos] = 0;
+ tmp[min(pos, sizeof(tmp) - 1)] = 0;
buf->buffer += pos;
buf->rem_bytes -= pos;
@@ -467,7 +473,7 @@ static BOOL is_integer(parse_buffer* buf)
static BOOL is_string(parse_buffer* buf)
{
- char tmp[100];
+ char tmp[512];
DWORD pos = 0;
char c;
BOOL ok = 0;
@@ -475,16 +481,18 @@ static BOOL is_string(parse_buffer* buf)
if (*buf->buffer != '"')
return FALSE;
- while (pos < buf->rem_bytes && !is_operator(c = *(buf->buffer+pos+1)) && (pos < 99))
+ while (pos < buf->rem_bytes && !is_operator(c = *(buf->buffer+pos+1)))
{
if (c == '"')
{
ok = 1;
break;
}
- tmp[pos++] = c;
+ if (pos < sizeof(tmp))
+ tmp[pos] = c;
+ pos++;
}
- tmp[pos] = 0;
+ tmp[min(pos, sizeof(tmp) - 1)] = 0;
if (!ok)
{
--
1.7.2.5
More information about the wine-patches
mailing list