oleaut32: Handle integer overflow of len in SysReAllocStringLen and SysAllocStringByteLen.
This commit is contained in:
parent
ec80b544e1
commit
241b25b5bd
|
@ -291,6 +291,10 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
|
||||||
*/
|
*/
|
||||||
int WINAPI SysReAllocStringLen(BSTR* old, const OLECHAR* str, unsigned int len)
|
int WINAPI SysReAllocStringLen(BSTR* old, const OLECHAR* str, unsigned int len)
|
||||||
{
|
{
|
||||||
|
/* Detect integer overflow. */
|
||||||
|
if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (*old!=NULL) {
|
if (*old!=NULL) {
|
||||||
DWORD newbytelen = len*sizeof(WCHAR);
|
DWORD newbytelen = len*sizeof(WCHAR);
|
||||||
DWORD *ptr = HeapReAlloc(GetProcessHeap(),0,((DWORD*)*old)-1,newbytelen+sizeof(WCHAR)+sizeof(DWORD));
|
DWORD *ptr = HeapReAlloc(GetProcessHeap(),0,((DWORD*)*old)-1,newbytelen+sizeof(WCHAR)+sizeof(DWORD));
|
||||||
|
@ -340,6 +344,10 @@ BSTR WINAPI SysAllocStringByteLen(LPCSTR str, UINT len)
|
||||||
DWORD* newBuffer;
|
DWORD* newBuffer;
|
||||||
char* stringBuffer;
|
char* stringBuffer;
|
||||||
|
|
||||||
|
/* Detect integer overflow. */
|
||||||
|
if (len >= (UINT_MAX-sizeof(WCHAR)-sizeof(DWORD)))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allocate a new buffer to hold the string.
|
* Allocate a new buffer to hold the string.
|
||||||
* don't forget to keep an empty spot at the beginning of the
|
* don't forget to keep an empty spot at the beginning of the
|
||||||
|
|
|
@ -5068,6 +5068,9 @@ static void test_SysAllocStringByteLen(void)
|
||||||
str = SysAllocStringByteLen(szTestA, 0x80000000);
|
str = SysAllocStringByteLen(szTestA, 0x80000000);
|
||||||
ok (str == NULL, "Expected NULL, got %p\n", str);
|
ok (str == NULL, "Expected NULL, got %p\n", str);
|
||||||
|
|
||||||
|
str = SysAllocStringByteLen(szTestA, 0xffffffff);
|
||||||
|
ok (str == NULL, "Expected NULL, got %p\n", str);
|
||||||
|
|
||||||
str = SysAllocStringByteLen(NULL, 0);
|
str = SysAllocStringByteLen(NULL, 0);
|
||||||
ok (str != NULL, "Expected non-NULL\n");
|
ok (str != NULL, "Expected non-NULL\n");
|
||||||
if (str)
|
if (str)
|
||||||
|
|
Loading…
Reference in New Issue