[PATCH 5/5] d3d10: Validate the base offset in parse_fx10_body() (AFL).

Thu May 26 12:36:56 CDT 2016

Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
---
 dlls/d3d10/effect.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/dlls/d3d10/effect.c b/dlls/d3d10/effect.c
index 2eb0680..2adbc08 100644
--- a/dlls/d3d10/effect.c
+++ b/dlls/d3d10/effect.c
@@ -2104,10 +2104,17 @@ static void d3d10_effect_type_destroy(struct wine_rb_entry *entry, void *context
 
 static HRESULT parse_fx10_body(struct d3d10_effect *e, const char *data, DWORD data_size)
 {
-    const char *ptr = data + e->index_offset;
+    const char *ptr;
     unsigned int i;
     HRESULT hr;
 
+    if (e->index_offset >= data_size)
+    {
+        WARN("Invalid index offset %#x (data size %#x).\n", e->index_offset, data_size);
+        return E_FAIL;
+    }
+    ptr = data + e->index_offset;
+
     if (!(e->local_buffers = d3d10_calloc(e->local_buffer_count, sizeof(*e->local_buffers))))
     {
         ERR("Failed to allocate local buffer memory.\n");
-- 
2.1.4


