http://bugs.winehq.org/show_bug.cgi?id=33457
Bug #: 33457 Summary: Will the multiplication suffers from integer overflow @line 268? Product: Wine Version: unspecified Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: comctl32 AssignedTo: wine-bugs@winehq.org ReportedBy: sunxs@is.iscas.ac.cn Classification: Unclassified
We notice that the multiplication at line 268 may overflow in some condition, and is not checked.
We think it is necessary to check it as the DSA_InsertItem is an exported function. It is not guaranteed that all the parameters will be in the valid range.
The related codes are shown below.
Xiaoshan Sun TCA, ISCAS
============== related source codes ========================================
Implemented in "dlls/comctl32/dsa.c". source.winehq.org/source/dlls/comctl32/dsa.c
251 INT WINAPI DSA_InsertItem (const HDSA hdsa, INT nIndex, LPVOID pSrc) 252 { 253 INT nNewItems, nSize; 254 LPVOID lpTemp, lpDest; 255 256 TRACE("(%p %d %p)\n", hdsa, nIndex, pSrc); 257 258 if ((!hdsa) || nIndex < 0) 259 return -1; 260 261 /* when nIndex >= nItemCount then append */ 262 if (nIndex >= hdsa->nItemCount) 263 nIndex = hdsa->nItemCount; 264 265 /* do we need to resize ? */ 266 if (hdsa->nItemCount >= hdsa->nMaxCount) { 267 nNewItems = hdsa->nMaxCount + hdsa->nGrow; 268 nSize = hdsa->nItemSize * nNewItems; // if ( nSize/nNewItems != hdsa->nItemSize){ overflow detected;} 269 270 lpTemp = ReAlloc (hdsa->pData, nSize);