[PATCH 2/2] ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap
janisozaur at gmail.com
janisozaur at gmail.com
Sat Jul 7 15:10:21 CDT 2018
From: Michał Janiszewski <janisozaur at gmail.com>
This can be happen in sample arrays (hex):
FindSetRun: 00 00 00 00 00 00 00 ff
FindClearRun: ff ff ff ff ff ff ff 00
Such arrays were added in previous commit to tests and should now be
fixed.
Signed-off-by: Michał Janiszewski <janisozaur at gmail.com>
---
dlls/ntdll/rtlbitmap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c
index 20108f5035..d0a4e5cf28 100644
--- a/dlls/ntdll/rtlbitmap.c
+++ b/dlls/ntdll/rtlbitmap.c
@@ -731,6 +731,12 @@ static ULONG NTDLL_FindSetRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSize)
return ~0U;
}
+ /* Check if reached the end of bitmap */
+ if (ulStart >= lpBits->SizeOfBitMap) {
+ *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+ return ulFoundAt;
+ }
+
/* Count blocks of 8 set bits */
while (*lpOut == 0xff)
{
@@ -822,6 +828,12 @@ static ULONG NTDLL_FindClearRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSiz
return ~0U;
}
+ /* Check if reached the end of bitmap */
+ if (ulStart >= lpBits->SizeOfBitMap) {
+ *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+ return ulFoundAt;
+ }
+
/* Count blocks of 8 clear bits */
while (!*lpOut)
{
--
2.18.0
More information about the wine-devel
mailing list