mirror of
https://github.com/reactos/reactos.git
synced 2024-11-20 06:15:26 +00:00
Follow up of #1492. CORE-15755 - Use RtlULongMult function to check integer overflows.
This commit is contained in:
Katayama Hirofumi MZ
GitHub
parent
811faed421
commit
bc9f3ed887
3 changed files with 19 additions and 7 deletions
|
|
@ -58,5 +58,6 @@
|
||||||
#include <ntgdibad.h>
|
#include <ntgdibad.h>
|
||||||
|
|
||||||
#include <undocgdi.h>
|
#include <undocgdi.h>
|
||||||
|
#include <ntintsafe.h>
|
||||||
|
|
||||||
#endif /* _GDI32_PCH_ */
|
#endif /* _GDI32_PCH_ */
|
||||||
|
|
|
||||||
|
|
@ -295,7 +295,9 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
|
||||||
ENUMLOGFONTEXA EnumLogFontExA;
|
ENUMLOGFONTEXA EnumLogFontExA;
|
||||||
NEWTEXTMETRICEXA NewTextMetricExA;
|
NEWTEXTMETRICEXA NewTextMetricExA;
|
||||||
LOGFONTW lfW;
|
LOGFONTW lfW;
|
||||||
LONG DataSize, InfoCount;
|
LONG InfoCount;
|
||||||
|
ULONG DataSize;
|
||||||
|
NTSTATUS Status;
|
||||||
|
|
||||||
DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
|
DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
|
||||||
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
|
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
|
||||||
|
|
@ -330,7 +332,13 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
|
||||||
if (INITIAL_FAMILY_COUNT < InfoCount)
|
if (INITIAL_FAMILY_COUNT < InfoCount)
|
||||||
{
|
{
|
||||||
RtlFreeHeap(GetProcessHeap(), 0, Info);
|
RtlFreeHeap(GetProcessHeap(), 0, Info);
|
||||||
DataSize = InfoCount * sizeof(FONTFAMILYINFO);
|
|
||||||
|
Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize);
|
||||||
|
if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
|
||||||
|
{
|
||||||
|
DPRINT1("Overflowed.\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
|
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
|
||||||
if (Info == NULL)
|
if (Info == NULL)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -5456,7 +5456,8 @@ NtGdiGetFontFamilyInfo(HDC Dc,
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
LOGFONTW LogFont;
|
LOGFONTW LogFont;
|
||||||
PFONTFAMILYINFO Info;
|
PFONTFAMILYINFO Info;
|
||||||
LONG GotCount, AvailCount, DataSize, SafeInfoCount;
|
LONG GotCount, AvailCount, SafeInfoCount;
|
||||||
|
ULONG DataSize;
|
||||||
|
|
||||||
if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
|
if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -5490,9 +5491,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Allocate space for a safe copy */
|
/* Allocate space for a safe copy */
|
||||||
DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO);
|
Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize);
|
||||||
if (DataSize <= 0)
|
if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX)
|
||||||
{
|
{
|
||||||
|
DPRINT1("Overflowed.\n");
|
||||||
EngSetLastError(ERROR_INVALID_PARAMETER);
|
EngSetLastError(ERROR_INVALID_PARAMETER);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
@ -5511,9 +5513,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
|
||||||
/* Return data to caller */
|
/* Return data to caller */
|
||||||
if (GotCount > 0)
|
if (GotCount > 0)
|
||||||
{
|
{
|
||||||
DataSize = GotCount * sizeof(FONTFAMILYINFO);
|
Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize);
|
||||||
if (DataSize <= 0)
|
if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
|
||||||
{
|
{
|
||||||
|
DPRINT1("Overflowed.\n");
|
||||||
ExFreePoolWithTag(Info, GDITAG_TEXT);
|
ExFreePoolWithTag(Info, GDITAG_TEXT);
|
||||||
EngSetLastError(ERROR_INVALID_PARAMETER);
|
EngSetLastError(ERROR_INVALID_PARAMETER);
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue