PATCH: fix out of range array access in dlls/kernel32/relay16.c
Gerald Pfeifer
gerald at pfeifer.com
Sat Oct 6 18:29:34 CDT 2007
On Wed, 3 Oct 2007, Alexandre Julliard wrote:
> This can't happen. If there's no ret instruction in the entry point
> we'll have much bigger problems than an out of range access...
Fair point, I guess you're right. How about the following patch then?
Gerald
Index: relay16.c
===================================================================
RCS file: /home/wine/wine/dlls/kernel32/relay16.c,v
retrieving revision 1.5
diff -u -3 -p -r1.5 relay16.c
--- relay16.c 30 Aug 2007 11:21:56 -0000 1.5
+++ relay16.c 6 Oct 2007 23:28:29 -0000
@@ -320,7 +320,9 @@ static int relay_call_from_16_no_debug(
for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */
+ if( j >= sizeof(call->ret)/sizeof(call->ret[0]) )
+ ERR("failed to find ret instruction in entry point");
+ else if (call->ret[j] == 0xcb66) /* cdecl */
{
for (i = 0; i < 20; i++, nb_args++)
{
@@ -424,7 +426,9 @@ int relay_call_from_16( void *entry_poin
for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */
+ if( j >= sizeof(call->ret)/sizeof(call->ret[0]) )
+ ERR("failed to find ret instruction in entry point");
+ else if (call->ret[j] == 0xcb66) /* cdecl */
{
for (i = 0; i < 20; i++, nb_args++)
{
More information about the wine-devel
mailing list