oleaut32: Handle integer overflow of len in SysReAllocStringLen and SysAllocStringByteLen.

2024-11-05 18:01:34 +00:00 · 2007-11-27 22:43:00 +00:00 · 2007-11-27 22:43:00 +00:00 · 241b25b5bd
commit 241b25b5bd
parent ec80b544e1
2 changed files with 11 additions and 0 deletions
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@ -291,6 +291,10 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
 */
 int WINAPI SysReAllocStringLen(BSTR* old, const OLECHAR* str, unsigned int len)
 {
+    /* Detect integer overflow. */
+    if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+	return 0;
+
    if (*old!=NULL) {
      DWORD newbytelen = len*sizeof(WCHAR);
      DWORD *ptr = HeapReAlloc(GetProcessHeap(),0,((DWORD*)*old)-1,newbytelen+sizeof(WCHAR)+sizeof(DWORD));
@ -340,6 +344,10 @@ BSTR WINAPI SysAllocStringByteLen(LPCSTR str, UINT len)
    DWORD* newBuffer;
    char* stringBuffer;

+    /* Detect integer overflow. */
+    if (len >= (UINT_MAX-sizeof(WCHAR)-sizeof(DWORD)))
+	return NULL;
+
    /*
     * Allocate a new buffer to hold the string.
     * don't forget to keep an empty spot at the beginning of the
--- a/dlls/oleaut32/tests/vartype.c
+++ b/dlls/oleaut32/tests/vartype.c
@ -5068,6 +5068,9 @@ static void test_SysAllocStringByteLen(void)
  str = SysAllocStringByteLen(szTestA, 0x80000000);
  ok (str == NULL, "Expected NULL, got %p\n", str);

+  str = SysAllocStringByteLen(szTestA, 0xffffffff);
+  ok (str == NULL, "Expected NULL, got %p\n", str);
+
  str = SysAllocStringByteLen(NULL, 0);
  ok (str != NULL, "Expected non-NULL\n");
  if (str)