From 200bfa97a8f86cea9197b1c6a6f5a26225ecaca2 Mon Sep 17 00:00:00 2001
From: Henri Verbeet <hverbeet@codeweavers.com>
Date: Thu, 26 May 2016 19:36:56 +0200
Subject: [PATCH] d3d10: Validate the base offset in parse_fx10_body() (AFL).

Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/d3d10/effect.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/dlls/d3d10/effect.c b/dlls/d3d10/effect.c
index 2eb0680e55d..2adbc08061e 100644
--- a/dlls/d3d10/effect.c
+++ b/dlls/d3d10/effect.c
@@ -2104,10 +2104,17 @@ static void d3d10_effect_type_destroy(struct wine_rb_entry *entry, void *context
 
 static HRESULT parse_fx10_body(struct d3d10_effect *e, const char *data, DWORD data_size)
 {
-    const char *ptr = data + e->index_offset;
+    const char *ptr;
     unsigned int i;
     HRESULT hr;
 
+    if (e->index_offset >= data_size)
+    {
+        WARN("Invalid index offset %#x (data size %#x).\n", e->index_offset, data_size);
+        return E_FAIL;
+    }
+    ptr = data + e->index_offset;
+
     if (!(e->local_buffers = d3d10_calloc(e->local_buffer_count, sizeof(*e->local_buffers))))
     {
         ERR("Failed to allocate local buffer memory.\n");