Jonathan Liu : wined3d: Avoid wined3d_ftoa buffer overflow.

Alexandre Julliard julliard at winehq.org
Tue Jan 14 13:44:59 CST 2014


Module: wine
Branch: master
Commit: 91c5cf33adfa000fe1376ff2ca58d320bbcb95d0
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=91c5cf33adfa000fe1376ff2ca58d320bbcb95d0

Author: Jonathan Liu <net147 at gmail.com>
Date:   Tue Jan 14 21:45:42 2014 +1100

wined3d: Avoid wined3d_ftoa buffer overflow.

---

 dlls/wined3d/arb_program_shader.c |    6 +++---
 dlls/wined3d/glsl_shader.c        |    4 ++--
 dlls/wined3d/utils.c              |    3 +++
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/dlls/wined3d/arb_program_shader.c b/dlls/wined3d/arb_program_shader.c
index ff4345f..0866820 100644
--- a/dlls/wined3d/arb_program_shader.c
+++ b/dlls/wined3d/arb_program_shader.c
@@ -767,7 +767,7 @@ static void shader_arb_update_float_pixel_constants(struct wined3d_device *devic
 
 static void shader_arb_append_imm_vec4(struct wined3d_shader_buffer *buffer, const float *values)
 {
-    char str[4][16];
+    char str[4][17];
 
     wined3d_ftoa(values[0], str[0]);
     wined3d_ftoa(values[1], str[1]);
@@ -3605,7 +3605,7 @@ static GLuint shader_arb_generate_pshader(const struct wined3d_shader *shader,
     BOOL custom_linear_fog = FALSE;
 
     char srgbtmp[4][4];
-    char ftoa_tmp[16];
+    char ftoa_tmp[17];
     unsigned int i, found = 0;
 
     for (i = 0, map = reg_maps->temporary; map; map >>= 1, ++i)
@@ -4220,7 +4220,7 @@ static GLuint shader_arb_generate_vshader(const struct wined3d_shader *shader,
         shader_addline(buffer, "TEMP TMP_FOGCOORD;\n");
     if (need_helper_const(shader_data, reg_maps, gl_info))
     {
-        char ftoa_tmp[16];
+        char ftoa_tmp[17];
         wined3d_ftoa(eps, ftoa_tmp);
         shader_addline(buffer, "PARAM helper_const = { 0.0, 1.0, 2.0, %s};\n", ftoa_tmp);
     }
diff --git a/dlls/wined3d/glsl_shader.c b/dlls/wined3d/glsl_shader.c
index 351742b..32ad9e7 100644
--- a/dlls/wined3d/glsl_shader.c
+++ b/dlls/wined3d/glsl_shader.c
@@ -250,7 +250,7 @@ static const char *shader_glsl_get_prefix(enum wined3d_shader_type type)
 
 static void shader_glsl_append_imm_vec4(struct wined3d_shader_buffer *buffer, const float *values)
 {
-    char str[4][16];
+    char str[4][17];
 
     wined3d_ftoa(values[0], str[0]);
     wined3d_ftoa(values[1], str[1]);
@@ -1415,7 +1415,7 @@ static void shader_glsl_get_register_name(const struct wined3d_shader_register *
     const struct wined3d_gl_info *gl_info = ins->ctx->gl_info;
     const char *prefix = shader_glsl_get_prefix(version->type);
     struct glsl_src_param rel_param0, rel_param1;
-    char imm_str[4][16];
+    char imm_str[4][17];
 
     if (reg->idx[0].offset != ~0U && reg->idx[0].rel_addr)
         shader_glsl_add_src_param(ins, reg->idx[0].rel_addr, WINED3DSP_WRITEMASK_0, &rel_param0);
diff --git a/dlls/wined3d/utils.c b/dlls/wined3d/utils.c
index 54eb988..fa72a07 100644
--- a/dlls/wined3d/utils.c
+++ b/dlls/wined3d/utils.c
@@ -3814,6 +3814,9 @@ void wined3d_ftoa(float value, char *s)
     if (copysignf(1.0f, value) < 0.0f)
         ++idx;
 
+    /* Be sure to allocate a buffer of at least 17 characters for the result
+       as sprintf may return a 3 digit exponent when using the MSVC runtime
+       instead of a 2 digit exponent. */
     sprintf(s, "%.8e", value);
     if (isfinite(value))
         s[idx] = '.';




More information about the wine-cvs mailing list