[PATCH] protect against integer overflow in SysAllocStringLen
Marcus Meissner
marcus at jet.franken.de
Fri Nov 24 01:45:57 CST 2006
Hi,
This is mostly to protect against an integer overflow in
SysAllocStringLen function, where one VB App passes
a 0xffffffff in and apparently expects NULL back.
Ciao, Marcus
---
dlls/oleaut32/oleaut.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
672fff7ae0965005d82bcf596882d26be1e0990b
diff --git a/dlls/oleaut32/oleaut.c b/dlls/oleaut32/oleaut.c
index 8ffdc72..d6a08a9 100644
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@@ -20,6 +20,7 @@
#include <stdarg.h>
#include <string.h>
+#include <limits.h>
#define COBJMACROS
@@ -217,6 +218,9 @@ BSTR WINAPI SysAllocStringLen(const OLEC
DWORD* newBuffer;
WCHAR* stringBuffer;
+ /* Detect integer overflow. */
+ if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+ return NULL;
/*
* Find the length of the buffer passed-in, in bytes.
*/
@@ -234,8 +238,8 @@ BSTR WINAPI SysAllocStringLen(const OLEC
/*
* If the memory allocation failed, return a null pointer.
*/
- if (newBuffer==0)
- return 0;
+ if (!newBuffer)
+ return NULL;
/*
* Copy the length of the string in the placeholder.
--
1.2.4
More information about the wine-patches
mailing list