ReceiveTempSMS
/
Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

d3dxof: Avoid overflowing temp buffers for large tokens.

This commit is contained in:
Dylan Smith 2011-04-20 16:20:11 -04:00 committed by Alexandre Julliard
parent 555fe78766
commit 10fbf5f542
1 changed files with 22 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
dlls/d3dxof/parsing.c
View File

@ -340,7 +340,7 @@ static BOOL is_guid(parse_buffer* buf)
if (buf->rem_bytes < 38 || *buf->buffer != '<') if (buf->rem_bytes < 38 || *buf->buffer != '<')
return FALSE; return FALSE;
tmp[0] = '<'; tmp[0] = '<';
while (*(buf->buffer+pos) != '>') while (pos < sizeof(tmp) - 2 && *(buf->buffer+pos) != '>')
{ {
tmp[pos] = *(buf->buffer+pos); tmp[pos] = *(buf->buffer+pos);
pos++; pos++;
@ -381,7 +381,7 @@ static BOOL is_guid(parse_buffer* buf)
static BOOL is_name(parse_buffer* buf) static BOOL is_name(parse_buffer* buf)
{ {
char tmp[50]; char tmp[512];
DWORD pos = 0; DWORD pos = 0;
char c; char c;
BOOL error = 0; BOOL error = 0;
@ -389,9 +389,11 @@ static BOOL is_name(parse_buffer* buf)
{ {
if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || ((c >= '0') && (c <= '9')) || (c == '_') || (c == '-'))) if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || ((c >= '0') && (c <= '9')) || (c == '_') || (c == '-')))
error = 1; error = 1;
tmp[pos++] = c; if (pos < sizeof(tmp))
tmp[pos] = c;
pos++;
} }
tmp[pos] = 0; tmp[min(pos, sizeof(tmp) - 1)] = 0;
if (error) if (error)
{ {
@ -410,7 +412,7 @@ static BOOL is_name(parse_buffer* buf)
static BOOL is_float(parse_buffer* buf) static BOOL is_float(parse_buffer* buf)
{ {
char tmp[50]; char tmp[512];
DWORD pos = 0; DWORD pos = 0;
char c; char c;
float decimal; float decimal;
@ -422,9 +424,11 @@ static BOOL is_float(parse_buffer* buf)
return FALSE; return FALSE;
if (c == '.') if (c == '.')
dot = TRUE; dot = TRUE;
tmp[pos++] = c; if (pos < sizeof(tmp))
tmp[pos] = c;
pos++;
} }
tmp[pos] = 0; tmp[min(pos, sizeof(tmp) - 1)] = 0;
buf->buffer += pos; buf->buffer += pos;
buf->rem_bytes -= pos; buf->rem_bytes -= pos;
@ -440,7 +444,7 @@ static BOOL is_float(parse_buffer* buf)
static BOOL is_integer(parse_buffer* buf) static BOOL is_integer(parse_buffer* buf)
{ {
char tmp[50]; char tmp[512];
DWORD pos = 0; DWORD pos = 0;
char c; char c;
DWORD integer; DWORD integer;
@ -449,9 +453,11 @@ static BOOL is_integer(parse_buffer* buf)
{ {
if (!((c >= '0') && (c <= '9'))) if (!((c >= '0') && (c <= '9')))
return FALSE; return FALSE;
tmp[pos++] = c; if (pos < sizeof(tmp))
tmp[pos] = c;
pos++;
} }
tmp[pos] = 0; tmp[min(pos, sizeof(tmp) - 1)] = 0;
buf->buffer += pos; buf->buffer += pos;
buf->rem_bytes -= pos; buf->rem_bytes -= pos;
@ -467,7 +473,7 @@ static BOOL is_integer(parse_buffer* buf)
static BOOL is_string(parse_buffer* buf) static BOOL is_string(parse_buffer* buf)
{ {
char tmp[100]; char tmp[512];
DWORD pos = 0; DWORD pos = 0;
char c; char c;
BOOL ok = 0; BOOL ok = 0;
@ -475,16 +481,18 @@ static BOOL is_string(parse_buffer* buf)
if (*buf->buffer != '"') if (*buf->buffer != '"')
return FALSE; return FALSE;
while (pos < buf->rem_bytes && !is_operator(c = *(buf->buffer+pos+1)) && (pos < 99)) while (pos < buf->rem_bytes && !is_operator(c = *(buf->buffer+pos+1)))
{ {
if (c == '"') if (c == '"')
{ {
ok = 1; ok = 1;
break; break;
} }
tmp[pos++] = c; if (pos < sizeof(tmp))
tmp[pos] = c;
pos++;
} }
tmp[pos] = 0; tmp[min(pos, sizeof(tmp) - 1)] = 0;
if (!ok) if (!ok)
{ {