On Friday, 9 November 2018 18:50:43 CET Nikolay Sivov wrote:
On 11/9/18 4:21 PM, Wolfgang Walter wrote:
if(table->MS_tag == MS_MAKE_TAG('g','d','i','r')) return TRUE; table->len = GetFontData(hdc, table->MS_tag, 0, NULL, 0);
+ table->check = 0; + if(table->len == GDI_ERROR) { + table->len = 0; + return TRUE; + } + if(table->len > (0xfffffffflu - 3)) { + table->len = 0; + return FALSE; + }
What is the second condition for?
The code which follows is: table->data = HeapAlloc(GetProcessHeap(), 0, (table->len + 3) & ~3 ); memset(table->data + ((table->len - 1) & ~3), 0, sizeof(DWORD)); GetFontData(hdc, table->MS_tag, 0, table->data, table->len); for(i = 0; i < (table->len + 3) / 4; i++) table->check += FLIP_ORDER(*((DWORD*)(table->data) + i)); If table->len (which itself is a DWORD) gets bigger than 0xfffffffflu - 3 it will overflow in (table->len + 3) and HeapAlloc does not allocate as much memory as expected. The whole thing will then be inconsistent and I thought therefor one should no rely that a) wine will handle that gracefully and b) that there is no such font embedded in pdfs. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Recht