Dylan Smith : richedit: Prevent buffer overrun for tab stops buffer.
Alexandre Julliard
julliard at winehq.org
Fri Sep 12 07:01:45 CDT 2008
Module: wine
Branch: master
Commit: 2aa69c6c9e083b0033eb8a0a75f860795441630c
URL: http://source.winehq.org/git/wine.git/?a=commit;h=2aa69c6c9e083b0033eb8a0a75f860795441630c
Author: Dylan Smith <dylan.ah.smith at gmail.com>
Date: Thu Sep 11 17:25:16 2008 -0400
richedit: Prevent buffer overrun for tab stops buffer.
---
dlls/riched20/editor.c | 13 ++++++++-----
1 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 1fe23cd..253c7b8 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -843,24 +843,27 @@ void ME_RTFTblAttrHook(RTF_Info *info)
break;
}
case rtfCellPos:
+ {
+ int cellNum;
if (!info->tableDef)
{
info->tableDef = ME_MakeTableDef(info->editor);
}
- if (info->tableDef->numCellsDefined >= MAX_TABLE_CELLS)
+ cellNum = info->tableDef->numCellsDefined;
+ if (cellNum >= MAX_TABLE_CELLS)
break;
- info->tableDef->cells[info->tableDef->numCellsDefined].rightBoundary = info->rtfParam;
- {
+ info->tableDef->cells[cellNum].rightBoundary = info->rtfParam;
+ if (cellNum < MAX_TAB_STOPS) {
/* Tab stops were used to store cell positions before v4.1 but v4.1
* still seems to set the tabstops without using them. */
ME_DisplayItem *para = ME_GetParagraph(info->editor->pCursors[0].pRun);
PARAFORMAT2 *pFmt = para->member.para.pFmt;
- int cellNum = info->tableDef->numCellsDefined;
pFmt->rgxTabs[cellNum] &= ~0x00FFFFFF;
pFmt->rgxTabs[cellNum] = 0x00FFFFFF & info->rtfParam;
}
info->tableDef->numCellsDefined++;
break;
+ }
case rtfRowBordTop:
info->borderType = RTFBorderRowTop;
break;
@@ -1045,7 +1048,7 @@ void ME_RTFSpecialCharHook(RTF_Info *info)
ME_InsertTextFromCursor(info->editor, 0, &tab, 1, info->style);
tableDef->numCellsInserted++;
}
- pFmt->cTabCount = tableDef->numCellsDefined;
+ pFmt->cTabCount = min(tableDef->numCellsDefined, MAX_TAB_STOPS);
if (!tableDef->numCellsDefined)
pFmt->wEffects &= ~PFE_TABLE;
ME_InsertTextFromCursor(info->editor, 0, &endl, 1, info->style);
More information about the wine-cvs
mailing list