[Bug 33457] New: Will the multiplication suffers from integer overflow @line 268?
http://bugs.winehq.org/show_bug.cgi?id=33457 Bug #: 33457 Summary: Will the multiplication suffers from integer overflow @line 268? Product: Wine Version: unspecified Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: comctl32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: sunxs(a)is.iscas.ac.cn Classification: Unclassified We notice that the multiplication at line 268 may overflow in some condition, and is not checked. We think it is necessary to check it as the DSA_InsertItem is an exported function. It is not guaranteed that all the parameters will be in the valid range. The related codes are shown below. Xiaoshan Sun TCA, ISCAS ============== related source codes ======================================== Implemented in "dlls/comctl32/dsa.c". source.winehq.org/source/dlls/comctl32/dsa.c 251 INT WINAPI DSA_InsertItem (const HDSA hdsa, INT nIndex, LPVOID pSrc) 252 { 253 INT nNewItems, nSize; 254 LPVOID lpTemp, lpDest; 255 256 TRACE("(%p %d %p)\n", hdsa, nIndex, pSrc); 257 258 if ((!hdsa) || nIndex < 0) 259 return -1; 260 261 /* when nIndex >= nItemCount then append */ 262 if (nIndex >= hdsa->nItemCount) 263 nIndex = hdsa->nItemCount; 264 265 /* do we need to resize ? */ 266 if (hdsa->nItemCount >= hdsa->nMaxCount) { 267 nNewItems = hdsa->nMaxCount + hdsa->nGrow; 268 nSize = hdsa->nItemSize * nNewItems; // if ( nSize/nNewItems != hdsa->nItemSize){ overflow detected;} 269 270 lpTemp = ReAlloc (hdsa->pData, nSize); -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=33457 Xiaoshan Sun <sunxs(a)is.iscas.ac.cn> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Will the multiplication |A possible security issue: |suffers from integer |will the multiplication |overflow @line 268? |suffers from integer | |overflow @line 268? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=33457 Xiaoshan Sun <sunxs(a)is.iscas.ac.cn> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|A possible security issue: |An integer overflow @line |will the multiplication |268 of dsa.c ? |suffers from integer | |overflow @line 268? | -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=33457 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |minor -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 --- Comment #1 from Bruno Jesus <00cpxxx(a)gmail.com> --- This is sill relevant as of wine 1.7.34. http://source.winehq.org/source/dlls/comctl32/dsa.c#0268 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 super_man(a)post.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man(a)post.com --- Comment #2 from super_man(a)post.com --- Still valid 1.9.11 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever confirmed|0 |1 --- Comment #3 from Nikolay Sivov <bunglehead(a)gmail.com> --- Sent, https://www.winehq.org/pipermail/wine-patches/2016-July/152654.html. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Fixed by SHA1| |0d57ff3d1f63f7486733f8619f3 | |916867ebd26c5 Resolution|--- |FIXED --- Comment #4 from Nikolay Sivov <bunglehead(a)gmail.com> --- Fixed with http://source.winehq.org/git/wine.git/commit/0d57ff3d1f63f7486733f8619f39168.... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 1.9.16. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 Michael Stefaniuc <mstefani(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mstefani(a)redhat.com Target Milestone|--- |1.8.x -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=33457 Michael Stefaniuc <mstefani(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|1.8.x |--- --- Comment #6 from Michael Stefaniuc <mstefani(a)redhat.com> --- Removing 1.8.x milestone from bugs included in 1.8.5. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org