Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-11-20 06:15:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

[GDI32][NTGDI] Avoid integer overflow (follow-up of #1492) (#1495)

Browse source 
Follow up of #1492. CORE-15755
- Use RtlULongMult function to check integer overflows.
This commit is contained in:
Katayama Hirofumi MZ 2019-04-11 17:57:57 +09:00 committed by GitHub
parent 811faed421
commit bc9f3ed887
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
win32ss/gdi/gdi32/include/precomp.h
View file

@ -58,5 +58,6 @@
#include <ntgdibad.h>
#include <undocgdi.h>
#include <ntintsafe.h>
#endif /* _GDI32_PCH_ */

12
win32ss/gdi/gdi32/objects/font.c
View file

@ -295,7 +295,9 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
ENUMLOGFONTEXA EnumLogFontExA;
NEWTEXTMETRICEXA NewTextMetricExA;
LOGFONTW lfW;
LONG DataSize, InfoCount;
LONG InfoCount;
ULONG DataSize;
NTSTATUS Status;
DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
@ -330,7 +332,13 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
if (INITIAL_FAMILY_COUNT < InfoCount)
{
RtlFreeHeap(GetProcessHeap(), 0, Info);
DataSize = InfoCount * sizeof(FONTFAMILYINFO);
Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize);
if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
{
DPRINT1("Overflowed.\n");
return 1;
}
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
if (Info == NULL)
{

13
win32ss/gdi/ntgdi/freetype.c
View file

@ -5456,7 +5456,8 @@ NtGdiGetFontFamilyInfo(HDC Dc,
NTSTATUS Status;
LOGFONTW LogFont;
PFONTFAMILYINFO Info;
LONG GotCount, AvailCount, DataSize, SafeInfoCount;
LONG GotCount, AvailCount, SafeInfoCount;
ULONG DataSize;
if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
{
@ -5490,9 +5491,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
}
/* Allocate space for a safe copy */
DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO);
if (DataSize <= 0)
Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize);
if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX)
{
DPRINT1("Overflowed.\n");
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;
}
@ -5511,9 +5513,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
/* Return data to caller */
if (GotCount > 0)
{
DataSize = GotCount * sizeof(FONTFAMILYINFO);
if (DataSize <= 0)
Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize);
if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
{
DPRINT1("Overflowed.\n");
ExFreePoolWithTag(Info, GDITAG_TEXT);
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;