[PATCH] xmllite: Avoid out of bounds access in readerinput_get_utf8_convlen().
Paul Gofman
pgofman at codeweavers.com
Wed Apr 14 07:48:43 CDT 2021
And consequently in readerinput_shrinkraw().
Signed-off-by: Paul Gofman <pgofman at codeweavers.com>
---
Spotted as a crash reproducible under certain conditions during Forza Horizon 4 start.
The out of bounds access in readerinput_get_utf8_convlen() is reproducible with the
existing tests, that just doesn't usually result in the crash as
'if (!(buffer->data[len-1] & 0x80)) return len;' ends up returning 0 for zero length
most of the time.
dlls/xmllite/reader.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dlls/xmllite/reader.c b/dlls/xmllite/reader.c
index 13d841eb94d..aa193128e4b 100644
--- a/dlls/xmllite/reader.c
+++ b/dlls/xmllite/reader.c
@@ -929,6 +929,8 @@ static int readerinput_get_utf8_convlen(xmlreaderinput *readerinput)
encoded_buffer *buffer = &readerinput->buffer->encoded;
int len = buffer->written;
+ assert(len);
+
/* complete single byte char */
if (!(buffer->data[len-1] & 0x80)) return len;
@@ -966,6 +968,7 @@ static void readerinput_shrinkraw(xmlreaderinput *readerinput, int len)
if (len == -1)
len = readerinput_get_convlen(readerinput);
+ assert(len >= 0);
memmove(buffer->data, buffer->data + buffer->cur + (buffer->written - len), len);
/* everything below cur is lost too */
buffer->written -= len + buffer->cur;
@@ -1069,6 +1072,9 @@ static HRESULT reader_more(xmlreader *reader)
/* get some raw data from stream first */
hr = readerinput_growraw(readerinput);
+ if (!src->written)
+ return hr ? hr : MX_E_INPUTEND;
+
len = readerinput_get_convlen(readerinput);
prev_len = dest->written / sizeof(WCHAR);
--
2.30.2
More information about the wine-devel
mailing list