richedit: Prevent buffer overrun for tab stops buffer.

Dylan Smith dylan.ah.smith at gmail.com
Thu Sep 11 16:25:16 CDT 2008


The maximum number of cells that can be defined changed between v3.0 and
v4.1, changed from 32 to 63.  Since v3.0 of the richedit controls stores
table cell positions as tab stops in a fixed size buffer of size 32,
adding too many causes a buffer overflow.

I searched for rgxTabs, cTabCount, an numCellsDefined to find any code
that could result in this buffer overflow. Now cTabCount is constrained
to 32, numCellsDefined is contrained to 63, and the rgxTabs buffer is
not accessed with an index greater than 31.
---
 dlls/riched20/editor.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-richedit-Prevent-buffer-overrun-for-tab-stops-bu.diff.txt
Url: http://www.winehq.org/pipermail/wine-patches/attachments/20080911/f2bbbc03/attachment.txt 


More information about the wine-patches mailing list