[PATCH 5/5] d3d10: Validate offsets and size in parse_fx10_type() (AFL).
Henri Verbeet
hverbeet at codeweavers.com
Sun Jul 10 08:09:20 CDT 2016
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
---
dlls/d3d10/effect.c | 40 +++++++++++++++++++++++++++++++++++-----
1 file changed, 35 insertions(+), 5 deletions(-)
diff --git a/dlls/d3d10/effect.c b/dlls/d3d10/effect.c
index 4736fa9..4760489 100644
--- a/dlls/d3d10/effect.c
+++ b/dlls/d3d10/effect.c
@@ -598,11 +598,18 @@ static D3D10_SHADER_VARIABLE_TYPE d3d10_variable_type(DWORD t, BOOL is_object)
static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, struct d3d10_effect_type *t)
{
- const char *ptr = data + offset;
+ const char *ptr;
DWORD unknown0;
DWORD typeinfo;
unsigned int i;
+ if (offset >= data_size || !require_space(offset, 6, sizeof(DWORD), data_size))
+ {
+ WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size);
+ return E_FAIL;
+ }
+
+ ptr = data + offset;
read_dword(&ptr, &offset);
TRACE("Type name at offset %#x.\n", offset);
@@ -631,9 +638,14 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset,
switch (unknown0)
{
case 1:
- t->member_count = 0;
+ if (!require_space(ptr - data, 1, sizeof(typeinfo), data_size))
+ {
+ WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size);
+ return E_FAIL;
+ }
read_dword(&ptr, &typeinfo);
+ t->member_count = 0;
t->column_count = (typeinfo & D3D10_FX10_TYPE_COLUMN_MASK) >> D3D10_FX10_TYPE_COLUMN_SHIFT;
t->row_count = (typeinfo & D3D10_FX10_TYPE_ROW_MASK) >> D3D10_FX10_TYPE_ROW_SHIFT;
t->basetype = d3d10_variable_type((typeinfo & D3D10_FX10_TYPE_BASETYPE_MASK) >> D3D10_FX10_TYPE_BASETYPE_SHIFT, FALSE);
@@ -651,13 +663,18 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset,
case 2:
TRACE("Type is an object.\n");
+ if (!require_space(ptr - data, 1, sizeof(typeinfo), data_size))
+ {
+ WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size);
+ return E_FAIL;
+ }
+
+ read_dword(&ptr, &typeinfo);
t->member_count = 0;
t->column_count = 0;
t->row_count = 0;
- t->type_class = D3D10_SVC_OBJECT;
-
- read_dword(&ptr, &typeinfo);
t->basetype = d3d10_variable_type(typeinfo, TRUE);
+ t->type_class = D3D10_SVC_OBJECT;
TRACE("Type description: %#x.\n", typeinfo);
TRACE("\tbasetype: %s.\n", debug_d3d10_shader_variable_type(t->basetype));
@@ -667,6 +684,12 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset,
case 3:
TRACE("Type is a structure.\n");
+ if (!require_space(ptr - data, 1, sizeof(t->member_count), data_size))
+ {
+ WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size);
+ return E_FAIL;
+ }
+
read_dword(&ptr, &t->member_count);
TRACE("Member count: %u.\n", t->member_count);
@@ -681,6 +704,13 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset,
return E_OUTOFMEMORY;
}
+ if (!require_space(ptr - data, t->member_count, 4 * sizeof(DWORD), data_size))
+ {
+ WARN("Invalid member count %#x (data size %#lx, offset %#x).\n",
+ t->member_count, (long)data_size, offset);
+ return E_FAIL;
+ }
+
for (i = 0; i < t->member_count; ++i)
{
struct d3d10_effect_type_member *typem = &t->members[i];
--
2.1.4
More information about the wine-patches
mailing list