[PATCH] wineps.drv: check for GDI_ERROR in LoadTable()
Huw Davies
huw at codeweavers.com
Mon Nov 12 04:57:59 CST 2018
On Sat, Nov 10, 2018 at 12:33:30AM +0100, Wolfgang Walter wrote:
> On Friday, 9 November 2018 18:50:43 CET Nikolay Sivov wrote:
> > On 11/9/18 4:21 PM, Wolfgang Walter wrote:
> > > if(table->MS_tag == MS_MAKE_TAG('g','d','i','r')) return TRUE;
> > > table->len = GetFontData(hdc, table->MS_tag, 0, NULL, 0);
> > >
> > > + table->check = 0;
> > > + if(table->len == GDI_ERROR) {
> > > + table->len = 0;
> > > + return TRUE;
> > > + }
> > > + if(table->len > (0xfffffffflu - 3)) {
> > > + table->len = 0;
> > > + return FALSE;
> > > + }
> >
> > What is the second condition for?
>
> The code which follows is:
>
> table->data = HeapAlloc(GetProcessHeap(), 0, (table->len + 3) & ~3 );
> memset(table->data + ((table->len - 1) & ~3), 0, sizeof(DWORD));
> GetFontData(hdc, table->MS_tag, 0, table->data, table->len);
> for(i = 0; i < (table->len + 3) / 4; i++)
> table->check += FLIP_ORDER(*((DWORD*)(table->data) + i));
>
>
> If table->len (which itself is a DWORD) gets bigger than 0xfffffffflu - 3 it
> will overflow in (table->len + 3) and HeapAlloc does not allocate as much
> memory as expected.
I don't think that's worth covering. I've sent in a cleaner version.
Thanks!
Huw.
More information about the wine-devel
mailing list