Alexandre Julliard : msvcrt: Add validity checks on the size of the handle inheritance block.

Alexandre Julliard julliard at winehq.org
Thu Sep 10 09:09:03 CDT 2009


Module: wine
Branch: master
Commit: ded81aebc7ca9fe7a3362ec1b462dabad5e7986e
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=ded81aebc7ca9fe7a3362ec1b462dabad5e7986e

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Thu Sep 10 15:29:04 2009 +0200

msvcrt: Add validity checks on the size of the handle inheritance block.

---

 dlls/msvcrt/file.c |   18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/dlls/msvcrt/file.c b/dlls/msvcrt/file.c
index 6671f2f..cbaa04e 100644
--- a/dlls/msvcrt/file.c
+++ b/dlls/msvcrt/file.c
@@ -349,18 +349,19 @@ void msvcrt_init_io(void)
   InitializeCriticalSection(&MSVCRT_file_cs);
   MSVCRT_file_cs.DebugInfo->Spare[0] = (DWORD_PTR)(__FILE__ ": MSVCRT_file_cs");
   GetStartupInfoA(&si);
-  if (si.cbReserved2 != 0 && si.lpReserved2 != NULL)
+  if (si.cbReserved2 >= sizeof(unsigned int) && si.lpReserved2 != NULL)
   {
-    char*       wxflag_ptr;
+    BYTE*       wxflag_ptr;
     HANDLE*     handle_ptr;
+    unsigned int count;
 
-    MSVCRT_fdend = *(unsigned*)si.lpReserved2;
+    count = *(unsigned*)si.lpReserved2;
+    wxflag_ptr = si.lpReserved2 + sizeof(unsigned);
+    handle_ptr = (HANDLE*)(wxflag_ptr + count);
 
-    wxflag_ptr = (char*)(si.lpReserved2 + sizeof(unsigned));
-    handle_ptr = (HANDLE*)(wxflag_ptr + MSVCRT_fdend * sizeof(char));
-
-    MSVCRT_fdend = min(MSVCRT_fdend, sizeof(MSVCRT_fdesc) / sizeof(MSVCRT_fdesc[0]));
-    for (i = 0; i < MSVCRT_fdend; i++)
+    count = min(count, (si.cbReserved2 - sizeof(unsigned)) / (sizeof(HANDLE) + 1));
+    count = min(count, sizeof(MSVCRT_fdesc) / sizeof(MSVCRT_fdesc[0]));
+    for (i = 0; i < count; i++)
     {
       if ((*wxflag_ptr & WX_OPEN) && *handle_ptr != INVALID_HANDLE_VALUE)
       {
@@ -374,6 +375,7 @@ void msvcrt_init_io(void)
       }
       wxflag_ptr++; handle_ptr++;
     }
+    MSVCRT_fdend = max( 3, count );
     for (MSVCRT_fdstart = 3; MSVCRT_fdstart < MSVCRT_fdend; MSVCRT_fdstart++)
         if (MSVCRT_fdesc[MSVCRT_fdstart].handle == INVALID_HANDLE_VALUE) break;
   }




More information about the wine-cvs mailing list