From c984aa5fc94e8f64c6b924fea942b9fef8f8f5af Mon Sep 17 00:00:00 2001
From: Zebediah Figura <z.figura12@gmail.com>
Date: Wed, 7 Jun 2017 16:07:50 -0500
Subject: [PATCH] msacm32: Add more invalid parameter checks for
 acmFormatEnum().

Signed-off-by: Zebediah Figura <z.figura12@gmail.com>
Signed-off-by: Andrew Eikum <aeikum@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/msacm32/format.c      | 21 +++++++++++++++++++++
 dlls/msacm32/tests/msacm.c | 36 ++++++++++++++++++++++++++++++++----
 2 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/dlls/msacm32/format.c b/dlls/msacm32/format.c
index 3f3ee5492d5..902807cb725 100644
--- a/dlls/msacm32/format.c
+++ b/dlls/msacm32/format.c
@@ -492,6 +492,9 @@ MMRESULT WINAPI acmFormatEnumA(HACMDRIVER had, PACMFORMATDETAILSA pafda,
     if (!pafda)
         return MMSYSERR_INVALPARAM;
 
+    if (!fnCallback)
+        return MMSYSERR_INVALPARAM;
+
     if (pafda->cbStruct < sizeof(*pafda))
         return MMSYSERR_INVALPARAM;
 
@@ -499,6 +502,7 @@ MMRESULT WINAPI acmFormatEnumA(HACMDRIVER had, PACMFORMATDETAILSA pafda,
     afdw.cbStruct = sizeof(afdw);
     afdw.dwFormatIndex = pafda->dwFormatIndex;
     afdw.dwFormatTag = pafda->dwFormatTag;
+    afdw.fdwSupport = pafda->fdwSupport;
     afdw.pwfx = pafda->pwfx;
     afdw.cbwfx = pafda->cbwfx;
 
@@ -613,6 +617,8 @@ MMRESULT WINAPI acmFormatEnumW(HACMDRIVER had, PACMFORMATDETAILSW pafd,
     PWINE_ACMDRIVERID		padid;
     WAVEFORMATEX		wfxRef;
     BOOL			ret;
+    DWORD			cbwfxMax;
+    MMRESULT			mmr;
 
     TRACE("(%p, %p, %p, %ld, %d)\n",
 	  had, pafd, fnCallback, dwInstance, fdwEnum);
@@ -620,9 +626,18 @@ MMRESULT WINAPI acmFormatEnumW(HACMDRIVER had, PACMFORMATDETAILSW pafd,
     if (!pafd)
         return MMSYSERR_INVALPARAM;
 
+    if (!fnCallback)
+        return MMSYSERR_INVALPARAM;
+
     if (pafd->cbStruct < sizeof(*pafd))
         return MMSYSERR_INVALPARAM;
 
+    if (pafd->fdwSupport)
+        return MMSYSERR_INVALPARAM;
+
+    if (!pafd->pwfx)
+        return MMSYSERR_INVALPARAM;
+
     if (fdwEnum & (ACM_FORMATENUMF_WFORMATTAG|ACM_FORMATENUMF_NCHANNELS|
 		   ACM_FORMATENUMF_NSAMPLESPERSEC|ACM_FORMATENUMF_WBITSPERSAMPLE|
 		   ACM_FORMATENUMF_CONVERT|ACM_FORMATENUMF_SUGGEST))
@@ -639,6 +654,12 @@ MMRESULT WINAPI acmFormatEnumW(HACMDRIVER had, PACMFORMATDETAILSW pafd,
     if (fdwEnum & (ACM_FORMATENUMF_CONVERT|ACM_FORMATENUMF_INPUT|ACM_FORMATENUMF_OUTPUT))
 	FIXME("Unsupported fdwEnum values %08x\n", fdwEnum);
 
+    mmr = acmMetrics((HACMOBJ)had, ACM_METRIC_MAX_SIZE_FORMAT, &cbwfxMax);
+    if (mmr != MMSYSERR_NOERROR)
+        return mmr;
+    if (pafd->cbwfx < cbwfxMax)
+        return MMSYSERR_INVALPARAM;
+
     if (had) {
 	HACMDRIVERID	hadid;
 
diff --git a/dlls/msacm32/tests/msacm.c b/dlls/msacm32/tests/msacm.c
index 6e79f4677f7..f5ab1682900 100644
--- a/dlls/msacm32/tests/msacm.c
+++ b/dlls/msacm32/tests/msacm.c
@@ -330,12 +330,10 @@ static BOOL CALLBACK DriverEnumProc(HACMDRIVERID hadid,
                "acmFormatEnumA(): rc = %08x, should be %08x\n",
                rc, MMSYSERR_INVALPARAM);
 
-            if (dwSize < sizeof(WAVEFORMATEX))
-                dwSize = sizeof(WAVEFORMATEX);
-
             pwfx = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize);
 
-            pwfx->cbSize = LOWORD(dwSize) - sizeof(WAVEFORMATEX);
+            if (dwSize >= sizeof(WAVEFORMATEX))
+                pwfx->cbSize = LOWORD(dwSize) - sizeof(WAVEFORMATEX);
             pwfx->wFormatTag = WAVE_FORMAT_UNKNOWN;
 
             fd.cbStruct = sizeof(fd);
@@ -343,6 +341,36 @@ static BOOL CALLBACK DriverEnumProc(HACMDRIVERID hadid,
             fd.cbwfx = dwSize;
             fd.dwFormatTag = WAVE_FORMAT_UNKNOWN;
 
+            /* try bad callback */
+            rc = acmFormatEnumA(had, &fd, NULL, 0, 0);
+            ok(rc == MMSYSERR_INVALPARAM,
+               "acmFormatEnumA(): rc = %08x, should be %08x\n",
+               rc, MMSYSERR_INVALPARAM);
+
+            /* try bad pwfx */
+            fd.pwfx = NULL;
+            rc = acmFormatEnumA(had, &fd, FormatEnumProc, 0, 0);
+            ok(rc == MMSYSERR_INVALPARAM,
+               "acmFormatEnumA(): rc = %08x, should be %08x\n",
+               rc, MMSYSERR_INVALPARAM);
+            fd.pwfx = pwfx;
+
+            /* fdwSupport must be zero */
+            fd.fdwSupport = 0xdeadbeef;
+            rc = acmFormatEnumA(had, &fd, FormatEnumProc, 0, 0);
+            ok(rc == MMSYSERR_INVALPARAM,
+               "acmFormatEnumA(): rc = %08x, should be %08x\n",
+               rc, MMSYSERR_INVALPARAM);
+            fd.fdwSupport = 0;
+
+            /* try bad pwfx structure size */
+            fd.cbwfx = dwSize-1;
+            rc = acmFormatEnumA(had, &fd, FormatEnumProc, 0, 0);
+            ok(rc == MMSYSERR_INVALPARAM,
+               "acmFormatEnumA(): rc = %08x, should be %08x\n",
+               rc, MMSYSERR_INVALPARAM);
+            fd.cbwfx = dwSize;
+
             /* try valid parameters */
             rc = acmFormatEnumA(had, &fd, FormatEnumProc, 0, 0);
             ok(rc == MMSYSERR_NOERROR,