=?UTF-8?Q?Micha=C5=82=20Janiszewski=20?=: ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap.

Alexandre Julliard julliard at winehq.org
Tue Jul 10 15:36:44 CDT 2018 

Module: wine
Branch: master
Commit: 3d5d8903b89803f5b2ec12a2d20ae9a171047fdc
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=3d5d8903b89803f5b2ec12a2d20ae9a171047fdc

Author: Michał Janiszewski <janisozaur at gmail.com>
Date:   Sun Jul  8 21:57:43 2018 +0200

ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap.

This can be happen in sample arrays (hex):
FindSetRun:   00 00 00 00 00 00 00 ff
FindClearRun: ff ff ff ff ff ff ff 00

Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/ntdll/rtlbitmap.c       | 12 ++++++++++++
 dlls/ntdll/tests/rtlbitmap.c |  2 --
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c
index 20108f5..d0a4e5c 100644
--- a/dlls/ntdll/rtlbitmap.c
+++ b/dlls/ntdll/rtlbitmap.c
@@ -731,6 +731,12 @@ static ULONG NTDLL_FindSetRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSize)
       return ~0U;
   }
 
+  /* Check if reached the end of bitmap */
+  if (ulStart >= lpBits->SizeOfBitMap) {
+    *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+    return ulFoundAt;
+  }
+
   /* Count blocks of 8 set bits */
   while (*lpOut == 0xff)
   {
@@ -822,6 +828,12 @@ static ULONG NTDLL_FindClearRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSiz
       return ~0U;
   }
 
+  /* Check if reached the end of bitmap */
+  if (ulStart >= lpBits->SizeOfBitMap) {
+    *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+    return ulFoundAt;
+  }
+
   /* Count blocks of 8 clear bits */
   while (!*lpOut)
   {
diff --git a/dlls/ntdll/tests/rtlbitmap.c b/dlls/ntdll/tests/rtlbitmap.c
index 10ee5f6..3c3992e 100644
--- a/dlls/ntdll/tests/rtlbitmap.c
+++ b/dlls/ntdll/tests/rtlbitmap.c
@@ -635,7 +635,6 @@ static void test_RtlFindNextForwardRunSet(void)
 
   pRtlInitializeBitMap(&bm, mask, 62);
   ulCount = pRtlFindNextForwardRunSet(&bm, ulStart, &lpPos);
-  todo_wine
   ok(ulCount == 6, "Invalid length of found set run: %d, expected 6\n", ulCount);
   ok(lpPos == 56, "Invalid position of found set run: %d, expected 56\n", lpPos);
 }
@@ -650,7 +649,6 @@ static void test_RtlFindNextForwardRunClear(void)
 
   pRtlInitializeBitMap(&bm, mask, 62);
   ulCount = pRtlFindNextForwardRunClear(&bm, ulStart, &lpPos);
-  todo_wine
   ok(ulCount == 6, "Invalid length of found clear run: %d, expected 6\n", ulCount);
   ok(lpPos == 56, "Invalid position of found clear run: %d, expected 56\n", lpPos);
 }

More information about the wine-cvs mailing list