Rémi Bernon : dinput/tests: Enforce ioctl buffer sizes to avoid overflows.

Alexandre Julliard julliard at winehq.org
Thu Jun 2 16:26:09 CDT 2022 

Module: wine
Branch: master
Commit: 01e8a9d03b17cbfe97663cf4b1e6d2c6fd67ca2a
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=01e8a9d03b17cbfe97663cf4b1e6d2c6fd67ca2a

Author: Rémi Bernon <rbernon at codeweavers.com>
Date:   Wed Jun  1 10:24:49 2022 +0200

dinput/tests: Enforce ioctl buffer sizes to avoid overflows.

Signed-off-by: Rémi Bernon <rbernon at codeweavers.com>

---

 dlls/dinput/tests/driver_bus.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dlls/dinput/tests/driver_bus.c b/dlls/dinput/tests/driver_bus.c
index dc9b549e1d8..64ca33e7c89 100644
--- a/dlls/dinput/tests/driver_bus.c
+++ b/dlls/dinput/tests/driver_bus.c
@@ -1251,18 +1251,22 @@ static NTSTATUS pdo_handle_ioctl( struct phys_device *impl, IRP *irp, ULONG code
     switch (code)
     {
     case IOCTL_WINETEST_HID_SET_EXPECT:
+        if (in_size > EXPECT_QUEUE_BUFFER_SIZE) return STATUS_BUFFER_OVERFLOW;
         expect_queue_reset( &impl->expect_queue, in_buffer, in_size );
         return STATUS_SUCCESS;
     case IOCTL_WINETEST_HID_WAIT_EXPECT:
     {
-        struct wait_expect_params wait_params = *(struct wait_expect_params *)in_buffer;
-        if (!wait_params.wait_pending) return expect_queue_wait( &impl->expect_queue, irp );
+        struct wait_expect_params *wait_params = (struct wait_expect_params *)in_buffer;
+        if (in_size < sizeof(*wait_params)) return STATUS_BUFFER_TOO_SMALL;
+        if (!wait_params->wait_pending) return expect_queue_wait( &impl->expect_queue, irp );
         else return expect_queue_wait_pending( &impl->expect_queue, irp );
     }
     case IOCTL_WINETEST_HID_SEND_INPUT:
+        if (in_size > EXPECT_QUEUE_BUFFER_SIZE) return STATUS_BUFFER_OVERFLOW;
         input_queue_reset( &impl->input_queue, in_buffer, in_size );
         return STATUS_SUCCESS;
     case IOCTL_WINETEST_HID_SET_CONTEXT:
+        if (in_size > sizeof(impl->expect_queue.context)) return STATUS_BUFFER_OVERFLOW;
         KeAcquireSpinLock( &impl->expect_queue.lock, &irql );
         memcpy( impl->expect_queue.context, in_buffer, in_size );
         KeReleaseSpinLock( &impl->expect_queue.lock, irql );

More information about the wine-cvs mailing list