From 241b25b5bdd470d844afa6ec71de8b3476c832c9 Mon Sep 17 00:00:00 2001 From: Rob Shearman Date: Tue, 27 Nov 2007 22:43:00 +0000 Subject: [PATCH] oleaut32: Handle integer overflow of len in SysReAllocStringLen and SysAllocStringByteLen. --- dlls/oleaut32/oleaut.c | 8 ++++++++ dlls/oleaut32/tests/vartype.c | 3 +++ 2 files changed, 11 insertions(+) diff --git a/dlls/oleaut32/oleaut.c b/dlls/oleaut32/oleaut.c index f756d83a4ed..a6774080b1b 100644 --- a/dlls/oleaut32/oleaut.c +++ b/dlls/oleaut32/oleaut.c @@ -291,6 +291,10 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len) */ int WINAPI SysReAllocStringLen(BSTR* old, const OLECHAR* str, unsigned int len) { + /* Detect integer overflow. */ + if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR))) + return 0; + if (*old!=NULL) { DWORD newbytelen = len*sizeof(WCHAR); DWORD *ptr = HeapReAlloc(GetProcessHeap(),0,((DWORD*)*old)-1,newbytelen+sizeof(WCHAR)+sizeof(DWORD)); @@ -340,6 +344,10 @@ BSTR WINAPI SysAllocStringByteLen(LPCSTR str, UINT len) DWORD* newBuffer; char* stringBuffer; + /* Detect integer overflow. */ + if (len >= (UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))) + return NULL; + /* * Allocate a new buffer to hold the string. * don't forget to keep an empty spot at the beginning of the diff --git a/dlls/oleaut32/tests/vartype.c b/dlls/oleaut32/tests/vartype.c index b0335aacbed..2292036027f 100644 --- a/dlls/oleaut32/tests/vartype.c +++ b/dlls/oleaut32/tests/vartype.c @@ -5068,6 +5068,9 @@ static void test_SysAllocStringByteLen(void) str = SysAllocStringByteLen(szTestA, 0x80000000); ok (str == NULL, "Expected NULL, got %p\n", str); + str = SysAllocStringByteLen(szTestA, 0xffffffff); + ok (str == NULL, "Expected NULL, got %p\n", str); + str = SysAllocStringByteLen(NULL, 0); ok (str != NULL, "Expected non-NULL\n"); if (str)