[PATCH 1/3] ntdll: Only set owned bits in RTL_BITMAP
From: Michał Janiszewski <janisozaur(a)gmail.com> Signed-off-by: Michał Janiszewski <janisozaur(a)gmail.com> --- dlls/ntdll/rtlbitmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c index 318f6fcbd4..c3e9385ec0 100644 --- a/dlls/ntdll/rtlbitmap.c +++ b/dlls/ntdll/rtlbitmap.c @@ -157,7 +157,8 @@ VOID WINAPI RtlSetBits(PRTL_BITMAP lpBits, ULONG ulStart, ULONG ulCount) USHORT initialWord = NTDLL_maskBits[ulCount] << (ulStart & 7); *lpOut++ |= (initialWord & 0xff); - *lpOut |= (initialWord >> 8); + if (lpOut < ((BYTE *)lpBits->Buffer) + (lpBits->SizeOfBitMap / 8)) + *lpOut |= (initialWord >> 8); return; } } @@ -218,7 +219,8 @@ VOID WINAPI RtlClearBits(PRTL_BITMAP lpBits, ULONG ulStart, ULONG ulCount) USHORT initialWord = ~(NTDLL_maskBits[ulCount] << (ulStart & 7)); *lpOut++ &= (initialWord & 0xff); - *lpOut &= (initialWord >> 8); + if (lpOut < ((BYTE *)lpBits->Buffer) + (lpBits->SizeOfBitMap / 8)) + *lpOut &= (initialWord >> 8); return; } } -- 2.17.1
From: Michał Janiszewski <janisozaur(a)gmail.com> Signed-off-by: Michał Janiszewski <janisozaur(a)gmail.com> --- dlls/msvcrt/scanf.h | 1 + 1 file changed, 1 insertion(+) diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index cbbcae42a1..734fe8bb98 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -667,6 +667,7 @@ _FUNCTION_ { else { _UNLOCK_FILE_(file); *str = 0; + HeapFree(GetProcessHeap(), 0, Mask); return rd; } } -- 2.17.1
Signed-off-by: Piotr Caban <piotr(a)codeweavers.com>
From: Michał Janiszewski <janisozaur(a)gmail.com> Limit damage done by a case char buffer[1]; sscanf_s("xx", "%2c", buffer, 1); where it would try writing 'x' to buffer[1]. It is still not entirely correct, as according to https://en.cppreference.com/w/c/io/fwscanf, "The size of the destination array must be at least one greater than the specified field width" but the final byte is reserved for NULL terminator. Signed-off-by: Michał Janiszewski <janisozaur(a)gmail.com> --- dlls/msvcrt/scanf.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/msvcrt/scanf.h b/dlls/msvcrt/scanf.h index 734fe8bb98..5393e36f23 100644 --- a/dlls/msvcrt/scanf.h +++ b/dlls/msvcrt/scanf.h @@ -549,7 +549,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _CHAR2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0; @@ -575,7 +575,7 @@ _FUNCTION_ { { if (!suppress) { *str++ = _WIDE2SUPPORTED_(nch); - if(size) size--; + if(size > 1) size--; else { _UNLOCK_FILE_(file); *pstr = 0; -- 2.17.1
participants (2)
-
janisozaur@gmail.com -
Piotr Caban