http://bugs.winehq.org/show_bug.cgi?id=33457 Bug #: 33457 Summary: Will the multiplication suffers from integer overflow @line 268? Product: Wine Version: unspecified Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: comctl32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: sunxs(a)is.iscas.ac.cn Classification: Unclassified We notice that the multiplication at line 268 may overflow in some condition, and is not checked. We think it is necessary to check it as the DSA_InsertItem is an exported function. It is not guaranteed that all the parameters will be in the valid range. The related codes are shown below. Xiaoshan Sun TCA, ISCAS ============== related source codes ======================================== Implemented in "dlls/comctl32/dsa.c". source.winehq.org/source/dlls/comctl32/dsa.c 251 INT WINAPI DSA_InsertItem (const HDSA hdsa, INT nIndex, LPVOID pSrc) 252 { 253 INT nNewItems, nSize; 254 LPVOID lpTemp, lpDest; 255 256 TRACE("(%p %d %p)\n", hdsa, nIndex, pSrc); 257 258 if ((!hdsa) || nIndex < 0) 259 return -1; 260 261 /* when nIndex >= nItemCount then append */ 262 if (nIndex >= hdsa->nItemCount) 263 nIndex = hdsa->nItemCount; 264 265 /* do we need to resize ? */ 266 if (hdsa->nItemCount >= hdsa->nMaxCount) { 267 nNewItems = hdsa->nMaxCount + hdsa->nGrow; 268 nSize = hdsa->nItemSize * nNewItems; // if ( nSize/nNewItems != hdsa->nItemSize){ overflow detected;} 269 270 lpTemp = ReAlloc (hdsa->pData, nSize); -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.