PATCH: fix out of range array access in dlls/kernel32/relay16.c
Gerald Pfeifer
gerald at pfeifer.com
Sat Sep 29 08:39:21 CDT 2007
Looking at this code it becomes clear we perform out of range array
accesses in those cases we execute the full loops.
Gerald
ChangeLog:
Avoid out of range array accesses in relay_call_from_16_no_debug() and
relay_call_from_16().
Index: dlls/kernel32/relay16.c
===================================================================
RCS file: /home/wine/wine/dlls/kernel32/relay16.c,v
retrieving revision 1.5
diff -u -3 -p -r1.5 relay16.c
--- dlls/kernel32/relay16.c 30 Aug 2007 11:21:56 -0000 1.5
+++ dlls/kernel32/relay16.c 29 Sep 2007 13:37:38 -0000
@@ -320,7 +320,8 @@ static int relay_call_from_16_no_debug(
for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */
+ if (j < sizeof(call->ret)/sizeof(call->ret[0])
+ && call->ret[j] == 0xcb66) /* cdecl */
{
for (i = 0; i < 20; i++, nb_args++)
{
@@ -424,7 +425,8 @@ int relay_call_from_16( void *entry_poin
for (j = 0; j < sizeof(call->ret)/sizeof(call->ret[0]); j++)
if (call->ret[j] == 0xca66 || call->ret[j] == 0xcb66) break;
- if (call->ret[j] == 0xcb66) /* cdecl */
+ if (j < sizeof(call->ret)/sizeof(call->ret[0])
+ && call->ret[j] == 0xcb66) /* cdecl */
{
for (i = 0; i < 20; i++, nb_args++)
{
More information about the wine-patches
mailing list