[PATCH 0/2] MR2818: quartz, setupapi: Avoid reading past the end of a buffer (Valgrind).
From: Rémi Bernon <rbernon(a)codeweavers.com> --- dlls/quartz/filtermapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/quartz/filtermapper.c b/dlls/quartz/filtermapper.c index 149bc8d1716..dd7c6c41872 100644 --- a/dlls/quartz/filtermapper.c +++ b/dlls/quartz/filtermapper.c @@ -425,7 +425,7 @@ static int add_data(struct Vector *v, const void *pData, int size) static int find_data(const struct Vector *v, const void *pData, int size) { int index; - for (index = 0; index < v->current; index++) + for (index = 0; index + size <= v->current; index++) if (!memcmp(v->pData + index, pData, size)) return index; /* not found */ -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/2818
From: Rémi Bernon <rbernon(a)codeweavers.com> --- dlls/setupapi/devinst.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dlls/setupapi/devinst.c b/dlls/setupapi/devinst.c index ef7b4dccf0d..6c4a6e68b4d 100644 --- a/dlls/setupapi/devinst.c +++ b/dlls/setupapi/devinst.c @@ -4610,7 +4610,8 @@ static BOOL device_matches_id(const struct device *device, const WCHAR *id_type, device_ids = heap_alloc(size); if (!RegGetValueW(device->key, NULL, id_type, RRF_RT_REG_MULTI_SZ, NULL, device_ids, &size)) { - for (p = device_ids, i = 0; *p; p += lstrlenW(p) + 1, i++) + char *end = (char *)device_ids + size; + for (p = device_ids, i = 0; (char *)p + sizeof(WCHAR) <= end && *p; p += lstrlenW(p) + 1, i++) { if (!wcsicmp(p, id)) { -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/2818
We should only be able to overread in device_matches_id() if the string wasn't properly double-null-terminated. When can that happen? -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2818#note_32811
participants (2)
-
Rémi Bernon -
Zebediah Figura (@zfigura)