ddraw: Better validation of IDirectDrawSurface::BltFast parameters (2nd try)

Iain Arnell iarnell at gmail.com
Sat Jun 19 02:02:08 CDT 2010 

fixes #23238 -  Repton 3: crashes when viewing map.
---
 dlls/ddraw/surface.c        |    6 ++++++
 dlls/ddraw/tests/dsurface.c |    4 ++++
 2 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/dlls/ddraw/surface.c b/dlls/ddraw/surface.c
index bfe83a4..0e28433 100644
--- a/dlls/ddraw/surface.c
+++ b/dlls/ddraw/surface.c
@@ -2080,6 +2080,12 @@ IDirectDrawSurfaceImpl_BltFast(IDirectDrawSurface7 *iface,
     HRESULT hr;
     TRACE("(%p)->(%d,%d,%p,%p,%d): Relay\n", This, dstx, dsty, Source, rsrc, trans);
 
+    /* Ensure that we've not been given negative signed ints */
+    if( (dstx | dsty) > (MAXDWORD >> 1) ) {
+        WARN("Application gave us negative offset for BltFast\n");
+        return DDERR_INVALIDRECT;
+    }
+
     /* Source must be != NULL, This is not checked by windows. Windows happily throws a 0xc0000005
      * in that case
      */
diff --git a/dlls/ddraw/tests/dsurface.c b/dlls/ddraw/tests/dsurface.c
index bfd5eae..92dcb65 100644
--- a/dlls/ddraw/tests/dsurface.c
+++ b/dlls/ddraw/tests/dsurface.c
@@ -2537,6 +2537,10 @@ static void BltParamTest(void)
     ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
     hr = IDirectDrawSurface_BltFast(surface1, 90, 90, surface2, NULL, 0);
     ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface1, -10, 0, surface2, NULL, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
+    hr = IDirectDrawSurface_BltFast(surface1, 0, -10, surface2, NULL, 0);
+    ok(hr == DDERR_INVALIDRECT, "BltFast with a rectangle resulting in an off-surface write returned %08x\n", hr);
     hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid1, 0);
     ok(hr == DDERR_INVALIDRECT, "BltFast with invalid rectangle 1 returned %08x\n", hr);
     hr = IDirectDrawSurface_BltFast(surface2, 0, 0, surface1, &invalid2, 0);
-- 
1.7.0.1

More information about the wine-patches mailing list