From 0ed49fabc3cae185a610ee973d4b0c75877812d7 Mon Sep 17 00:00:00 2001
From: Eric Pouech <eric.pouech@gmail.com>
Date: Fri, 26 Nov 2021 17:30:52 +0100
Subject: [PATCH] winedbg: Protect against incorrect integer size in
 be_cpu.fetch_integer() method.

Signed-off-by: Eric Pouech <eric.pouech@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 programs/winedbg/be_arm.c    | 3 ++-
 programs/winedbg/be_arm64.c  | 3 ++-
 programs/winedbg/be_i386.c   | 3 ++-
 programs/winedbg/be_x86_64.c | 4 ++--
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/programs/winedbg/be_arm.c b/programs/winedbg/be_arm.c
index fa25ce8dd2b..3bf5771439c 100644
--- a/programs/winedbg/be_arm.c
+++ b/programs/winedbg/be_arm.c
@@ -1834,7 +1834,8 @@ static int be_arm_adjust_pc_for_break(dbg_ctx_t *ctx, BOOL way)
 static BOOL be_arm_fetch_integer(const struct dbg_lvalue* lvalue, unsigned size,
                                  BOOL is_signed, LONGLONG* ret)
 {
-    if (size != 1 && size != 2 && size != 4 && size != 8) return FALSE;
+    /* size must fit in ret and be a power of two */
+    if (size > sizeof(*ret) || (size & (size - 1))) return FALSE;
 
     memset(ret, 0, sizeof(*ret)); /* clear unread bytes */
     /* FIXME: this assumes that debuggee and debugger use the same
diff --git a/programs/winedbg/be_arm64.c b/programs/winedbg/be_arm64.c
index 9ceb9291d54..d7611ba75de 100644
--- a/programs/winedbg/be_arm64.c
+++ b/programs/winedbg/be_arm64.c
@@ -231,7 +231,8 @@ static int be_arm64_adjust_pc_for_break(dbg_ctx_t *ctx, BOOL way)
 static BOOL be_arm64_fetch_integer(const struct dbg_lvalue* lvalue, unsigned size,
                                    BOOL is_signed, LONGLONG* ret)
 {
-    if (size != 1 && size != 2 && size != 4 && size != 8) return FALSE;
+    /* size must fit in ret and be a power of two */
+    if (size > sizeof(*ret) || (size & (size - 1))) return FALSE;
 
     memset(ret, 0, sizeof(*ret)); /* clear unread bytes */
     /* FIXME: this assumes that debuggee and debugger use the same
diff --git a/programs/winedbg/be_i386.c b/programs/winedbg/be_i386.c
index 08d0841a208..e7a1dd9d460 100644
--- a/programs/winedbg/be_i386.c
+++ b/programs/winedbg/be_i386.c
@@ -780,7 +780,8 @@ static int be_i386_adjust_pc_for_break(dbg_ctx_t *ctx, BOOL way)
 static BOOL be_i386_fetch_integer(const struct dbg_lvalue* lvalue, unsigned size,
                                   BOOL is_signed, LONGLONG* ret)
 {
-    if (size != 1 && size != 2 && size != 4 && size != 8 && size != 16) return FALSE;
+    /* size must fit in ret and be a power of two */
+    if (size > sizeof(*ret) || (size & (size - 1))) return FALSE;
 
     memset(ret, 0, sizeof(*ret)); /* clear unread bytes */
     /* FIXME: this assumes that debuggee and debugger use the same
diff --git a/programs/winedbg/be_x86_64.c b/programs/winedbg/be_x86_64.c
index c2839cf4097..4920bf2d0ca 100644
--- a/programs/winedbg/be_x86_64.c
+++ b/programs/winedbg/be_x86_64.c
@@ -702,8 +702,8 @@ static int be_x86_64_adjust_pc_for_break(dbg_ctx_t *ctx, BOOL way)
 static BOOL be_x86_64_fetch_integer(const struct dbg_lvalue* lvalue, unsigned size,
                                     BOOL is_signed, LONGLONG* ret)
 {
-    if (size != 1 && size != 2 && size != 4 && size != 8 && size != 16)
-        return FALSE;
+    /* size must fit in ret and be a power of two */
+    if (size > sizeof(*ret) || (size & (size - 1))) return FALSE;
 
     memset(ret, 0, sizeof(*ret)); /* clear unread bytes */
     /* FIXME: this assumes that debuggee and debugger use the same