usp10: Do not write to last script item if buffer space is insufficient.
Thomas Faber
thomas.faber at reactos.org
Thu May 1 02:01:21 CDT 2014
The check is already present, but a memset() is done anyway, and
currently causes a buffer overflow.
-------------- next part --------------
From d6951e008cbbdf3ed4180994b3a64ffb19f3034a Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber at reactos.org>
Date: Thu, 1 May 2014 08:57:09 +0200
Subject: usp10: Do not write to last script item if buffer space is
insufficient.
---
dlls/usp10/usp10.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dlls/usp10/usp10.c b/dlls/usp10/usp10.c
index 94785b2..bb8f67d 100644
--- a/dlls/usp10/usp10.c
+++ b/dlls/usp10/usp10.c
@@ -1616,12 +1616,13 @@ static HRESULT _ItemizeInternal(const WCHAR *pwcInChars, int cInChars,
* item is set up to prevent random behaviour if the caller erroneously
* checks the n+1 structure */
index++;
+ if (index + 1 > cMaxItems)
+ return E_OUTOFMEMORY;
memset(&pItems[index].a, 0, sizeof(SCRIPT_ANALYSIS));
TRACE("index=%d cnt=%d iCharPos=%d\n", index, cnt, pItems[index].iCharPos);
/* Set one SCRIPT_STATE item being returned */
- if (index + 1 > cMaxItems) return E_OUTOFMEMORY;
if (pcItems) *pcItems = index;
/* Set SCRIPT_ITEM */
--
1.9.0.msysgit.0
More information about the wine-patches
mailing list