[PATCH] d3dxof: avoid some strcpy overflows (Coverity)
Marcus Meissner
marcus at jet.franken.de
Sun Sep 4 04:24:43 CDT 2016
214462 Destination buffer too small
check the target sizes before copying over it...
Signed-off-by: Marcus Meissner <marcus at jet.franken.de>
---
dlls/d3dxof/parsing.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/dlls/d3dxof/parsing.c b/dlls/d3dxof/parsing.c
index f7724ec..26f9d46 100644
--- a/dlls/d3dxof/parsing.c
+++ b/dlls/d3dxof/parsing.c
@@ -532,8 +532,11 @@ static BOOL is_name(parse_buffer* buf)
buf->rem_bytes -= pos;
TRACE("Found name %s\n", tmp);
+ if (strlen(tmp)+1 > sizeof(buf->value)) {
+ FIXME("name %s exceeds buffer length\n", tmp);
+ return FALSE;
+ }
strcpy((char*)buf->value, tmp);
-
return TRUE;
}
@@ -632,6 +635,12 @@ static BOOL is_string(parse_buffer* buf)
buf->rem_bytes -= pos + 2;
TRACE("Found string %s\n", tmp);
+
+ if (strlen(tmp)+1 > sizeof(buf->value)) {
+ FIXME("name %s exceeds buffer length\n", tmp);
+ return FALSE;
+ }
+
strcpy((char*)buf->value, tmp);
return TRUE;
@@ -928,6 +937,10 @@ static BOOL parse_template_option_info(parse_buffer * buf)
{
if (get_TOKEN(buf) != TOKEN_NAME)
return FALSE;
+ if (strlen((char*)buf->value)+1 > sizeof(cur_template->children[cur_template->nb_children])) {
+ FIXME("name %s too long for buffer\n", (char*)buf->value);
+ return FALSE;
+ }
strcpy(cur_template->children[cur_template->nb_children], (char*)buf->value);
if (check_TOKEN(buf) == TOKEN_GUID)
get_TOKEN(buf);
@@ -990,6 +1003,10 @@ static BOOL parse_template_members_list(parse_buffer * buf)
if (get_TOKEN(buf) != TOKEN_NAME)
return FALSE;
+ if (strlen((char*)buf->value)+1 > sizeof(cur_member->name)) {
+ FIXME("name %s exceeds buffer length\n", (char*)buf->value);
+ return FALSE;
+ }
strcpy(cur_member->name, (char*)buf->value);
if (array)
--
2.9.3
More information about the wine-patches
mailing list