[Bug 19819] New: Small bug in TranslateCharsetInfo

[wine-bugs at winehq.org]

http://bugs.winehq.org/show_bug.cgi?id=19819

           Summary: Small bug in TranslateCharsetInfo
           Product: Wine
           Version: 1.1.28
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdi32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: grschneider at gmail.com


TranslateCharsetInfo (dlls/gdi32/font.c:2596) works on an array FONT_tci of
size 32 and may access this array with the index 32 - out of bounds.

The loops in lines 2602 and 2605 first acces the array with an incremented
index and check afterwards, this may lead to the described behaviour. The order
 access then check has to be swapped in those three cases to fix this. C won't
access the arrays then because of lazy evaluation.

Example loop:
2602       while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index <
MAXTCIINDEX) index++;
index = 31, 31 < 32 (true), 31++, FONT_tci[32].ciACP -> crash

Can't provide a patch atm, I hope this description is enough.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.