Henri Verbeet : wined3d: Validate instruction lengths in shader_sm4_read_instruction() (AFL).

Thu Mar 9 15:51:34 CST 2017

Module: wine
Branch: master
Commit: a9e5a02a20a2b11edf0949c5bb1c4dd6c5297644
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=a9e5a02a20a2b11edf0949c5bb1c4dd6c5297644

Author: Henri Verbeet <hverbeet at codeweavers.com>
Date:   Thu Mar  9 10:37:04 2017 +0100

wined3d: Validate instruction lengths in shader_sm4_read_instruction() (AFL).

Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/wined3d/shader_sm4.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/dlls/wined3d/shader_sm4.c b/dlls/wined3d/shader_sm4.c
index bd974a2..8986d35 100644
--- a/dlls/wined3d/shader_sm4.c
+++ b/dlls/wined3d/shader_sm4.c
@@ -1507,16 +1507,36 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi
     DWORD opcode_token, opcode, previous_token;
     struct wined3d_sm4_data *priv = data;
     unsigned int i, len;
+    SIZE_T remaining;
     const DWORD *p;
 
     list_move_head(&priv->src_free, &priv->src);
 
+    if (*ptr >= priv->end)
+    {
+        WARN("End of byte-code, failed to read opcode.\n");
+        goto fail;
+    }
+    remaining = priv->end - *ptr;
+
     opcode_token = *(*ptr)++;
     opcode = opcode_token & WINED3D_SM4_OPCODE_MASK;
 
     len = ((opcode_token & WINED3D_SM4_INSTRUCTION_LENGTH_MASK) >> WINED3D_SM4_INSTRUCTION_LENGTH_SHIFT);
     if (!len)
+    {
+        if (remaining < 2)
+        {
+            WARN("End of byte-code, failed to read length token.\n");
+            goto fail;
+        }
         len = **ptr;
+    }
+    if (!len || remaining < len)
+    {
+        WARN("Read invalid length %u (remaining %lu).\n", len, remaining);
+        goto fail;
+    }
     --len;
 
     if (TRACE_ON(d3d_bytecode))
@@ -1589,6 +1609,13 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi
             }
         }
     }
+
+    return;
+
+fail:
+    *ptr = priv->end;
+    ins->handler_idx = WINED3DSIH_TABLE_SIZE;
+    return;
 }
 
 static BOOL shader_sm4_is_end(void *data, const DWORD **ptr)


