Henri Verbeet : d3d11: Validate offsets and sizes in parse_dxbc() (AFL).
Alexandre Julliard
julliard at winehq.org
Wed May 25 10:41:09 CDT 2016
Module: wine
Branch: master
Commit: e5a4da38eb159dbe2708f525cffc4c2abd8c53ec
URL: http://source.winehq.org/git/wine.git/?a=commit;h=e5a4da38eb159dbe2708f525cffc4c2abd8c53ec
Author: Henri Verbeet <hverbeet at codeweavers.com>
Date: Tue May 24 19:46:41 2016 +0200
d3d11: Validate offsets and sizes in parse_dxbc() (AFL).
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/d3d11/d3d11_private.h | 5 +++++
dlls/d3d11/utils.c | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/dlls/d3d11/d3d11_private.h b/dlls/d3d11/d3d11_private.h
index c52e3e4..41fd89d 100644
--- a/dlls/d3d11/d3d11_private.h
+++ b/dlls/d3d11/d3d11_private.h
@@ -85,6 +85,11 @@ static inline void read_dword(const char **ptr, DWORD *d)
*ptr += sizeof(*d);
}
+static inline BOOL require_space(size_t offset, size_t size, size_t data_size)
+{
+ return data_size - offset >= size;
+}
+
void skip_dword_unknown(const char **ptr, unsigned int count) DECLSPEC_HIDDEN;
HRESULT parse_dxbc(const char *data, SIZE_T data_size,
diff --git a/dlls/d3d11/utils.c b/dlls/d3d11/utils.c
index 6473722..25e22f9 100644
--- a/dlls/d3d11/utils.c
+++ b/dlls/d3d11/utils.c
@@ -751,11 +751,23 @@ HRESULT parse_dxbc(const char *data, SIZE_T data_size,
read_dword(&ptr, &chunk_offset);
TRACE("chunk %u at offset %#x\n", i, chunk_offset);
+ if (chunk_offset >= data_size || !require_space(chunk_offset, 2 * sizeof(DWORD), data_size))
+ {
+ WARN("Invalid chunk offset %#x (data size %#lx).\n", chunk_offset, data_size);
+ return E_FAIL;
+ }
+
chunk_ptr = data + chunk_offset;
read_dword(&chunk_ptr, &chunk_tag);
read_dword(&chunk_ptr, &chunk_size);
+ if (!require_space(chunk_ptr - data, chunk_size, data_size))
+ {
+ WARN("Invalid chunk size %#x (data size %#lx, chunk offset %#x).\n", chunk_size, data_size, chunk_offset);
+ return E_FAIL;
+ }
+
hr = chunk_handler(chunk_ptr, chunk_size, chunk_tag, ctx);
if (FAILED(hr)) break;
}
More information about the wine-cvs
mailing list