[PATCH v6 0/3] MR4073: msxml3: Stop possible typelib out of bounds access (Coverity)
typelib has an array size of 2 (eg LibXml_Last), so a lookup of IID_NULL will result in a lookup of the third index. -- v6: msxml3: Do not leak bind context on error paths (Coverity) https://gitlab.winehq.org/wine/wine/-/merge_requests/4073
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- dlls/msxml3/dispex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index cd7c2820133..6212fc2976c 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -294,9 +294,9 @@ static dispex_data_t *preprocess_dispex_data(DispatchEx *This) data->funcs = heap_realloc(data->funcs, data->func_cnt * sizeof(func_info_t)); } - qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); - if(data->funcs) { + qsort(data->funcs, data->func_cnt, sizeof(func_info_t), dispid_cmp); + data->name_table = heap_alloc(data->func_cnt * sizeof(func_info_t*)); for(i=0; i < data->func_cnt; i++) data->name_table[i] = data->funcs+i; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/4073
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> This was reported as a out of bounds access (Coverity), which is possible if the tid_NULL was every passed in. --- dlls/msxml3/dispex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/msxml3/dispex.c b/dlls/msxml3/dispex.c index 6212fc2976c..ef68cb74745 100644 --- a/dlls/msxml3/dispex.c +++ b/dlls/msxml3/dispex.c @@ -82,7 +82,7 @@ static lib_id_t lib_ids[] = { }; static tid_id_t tid_ids[] = { - { &IID_NULL, LibXml_Last }, + { &IID_NULL, LibXml2 }, { &IID_IXMLDOMAttribute, LibXml2 }, { &IID_IXMLDOMCDATASection, LibXml2 }, { &IID_IXMLDOMComment, LibXml2 }, -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/4073
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- dlls/msxml3/httprequest.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/dlls/msxml3/httprequest.c b/dlls/msxml3/httprequest.c index 459466a1234..e21ece7d9c4 100644 --- a/dlls/msxml3/httprequest.c +++ b/dlls/msxml3/httprequest.c @@ -680,19 +680,12 @@ static const IAuthenticateVtbl AuthenticateVtbl = { static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback **obj, const VARIANT *body) { BindStatusCallback *bsc; - IBindCtx *pbc; + IBindCtx *pbc = NULL; HRESULT hr; LONG size; - hr = CreateBindCtx(0, &pbc); - if (hr != S_OK) return hr; - - bsc = heap_alloc(sizeof(*bsc)); - if (!bsc) - { - IBindCtx_Release(pbc); + if (!(bsc = heap_alloc(sizeof(*bsc)))) return E_OUTOFMEMORY; - } bsc->IBindStatusCallback_iface.lpVtbl = &BindStatusCallbackVtbl; bsc->IHttpNegotiate_iface.lpVtbl = &BSCHttpNegotiateVtbl; @@ -795,7 +788,9 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * SafeArrayUnaccessData(sa); } - hr = RegisterBindStatusCallback(pbc, &bsc->IBindStatusCallback_iface, NULL, 0); + hr = CreateBindCtx(0, &pbc); + if (hr == S_OK) + hr = RegisterBindStatusCallback(pbc, &bsc->IBindStatusCallback_iface, NULL, 0); if (hr == S_OK) { IMoniker *moniker; @@ -809,9 +804,11 @@ static HRESULT BindStatusCallback_create(httprequest* This, BindStatusCallback * IMoniker_Release(moniker); if (stream) IStream_Release(stream); } - IBindCtx_Release(pbc); } + if (pbc) + IBindCtx_Release(pbc); + if (FAILED(hr)) { IBindStatusCallback_Release(&bsc->IBindStatusCallback_iface); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/4073
This merge request was approved by Nikolay Sivov. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/4073
participants (3)
-
Alistair Leslie-Hughes -
Alistair Leslie-Hughes (@alesliehughes)
-
Nikolay Sivov (@nsivov)