Shachar Shemesh <wine-devel@shemesh.biz> writes:
> Michael Günnewig wrote:
>
>>Changelog:
>> Fixed use of uninitialized memory and wrong buffersize (found by valgrind).
...
> What are we doing to prevent integer overflow on these allocations?
> Shouldn't we, perhaps, use some wrapper that checks that
> "cbFilter*sizeof(WCHAR)" is not greater than "MAXINT"?
It's a point, so here is the new patch.
Michael
--- dlls/avifil32/api.c.SAV 2003-09-20 16:14:45.000000000 +0200
+++ dlls/avifil32/api.c 2003-09-22 12:13:55.000000000 +0200
@@ -1005,12 +1005,14 @@
return AVIERR_BADPARAM;
if (cbFilter < 2)
return AVIERR_BADSIZE;
+ if (cbFilter >= MAXINT_PTR / sizeof(WCHAR))
+ return AVIERR_MEMORY;
szFilter[0] = 0;
szFilter[1] = 0;
- wszFilter = (LPWSTR)GlobalAllocPtr(GHND, cbFilter);
+ wszFilter = (LPWSTR)GlobalAllocPtr(GHND, cbFilter * sizeof(WCHAR));
if (wszFilter == NULL)
return AVIERR_MEMORY;
--- dlls/kernel/profile.c.~1.2.~ 2003-09-07 23:33:00.000000000 +0200
+++ dlls/kernel/profile.c 2003-09-20 15:06:51.000000000 +0200
@@ -1221,7 +1221,8 @@
LPWSTR bufferW;
INT retW, ret = 0;
- bufferW = buffer ? HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)) : NULL;
+ bufferW = (buffer ? HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
+ len * sizeof(WCHAR)) : NULL);
if (section) RtlCreateUnicodeStringFromAsciiz(§ionW, section);
else sectionW.Buffer = NULL;
if (filename) RtlCreateUnicodeStringFromAsciiz(&filenameW, filename);
--- dlls/user/message.c.~1.45.~ 2003-09-16 13:25:43.000000000 +0200
+++ dlls/user/message.c 2003-09-20 14:51:57.000000000 +0200
@@ -2166,6 +2166,7 @@
TRACE( "hwnd %p msg %x (%s) wp %x lp %lx\n",
hwnd, msg, SPY_GetMsgName(msg, hwnd), wparam, lparam );
+ memset(&info, 0, sizeof(info));
info.type = MSG_POSTED;
info.hwnd = hwnd;
info.msg = msg;
@@ -2211,6 +2212,7 @@
}
if (USER_IsExitingThread( thread )) return TRUE;
+ memset(&info, 0, sizeof(info));
info.type = MSG_POSTED;
info.hwnd = 0;
info.msg = msg;
