[Bug 19819] New: Small bug in TranslateCharsetInfo

23 Aug 2009


      http://bugs.winehq.org/show_bug.cgi?id=19819
Summary: Small bug in TranslateCharsetInfo
           Product: Wine
           Version: 1.1.28
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdi32
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: grschneider@gmail.com
TranslateCharsetInfo (dlls/gdi32/font.c:2596) works on an array FONT_tci of
size 32 and may access this array with the index 32 - out of bounds.
The loops in lines 2602 and 2605 first acces the array with an incremented
index and check afterwards, this may lead to the described behaviour. The order
 access then check has to be swapped in those three cases to fix this. C won't
access the arrays then because of lazy evaluation.
Example loop:
2602       while (PtrToUlong(lpSrc) != FONT_tci[index].ciACP && index <
MAXTCIINDEX) index++;
index = 31, 31 < 32 (true), 31++, FONT_tci[32].ciACP -> crash
Can't provide a patch atm, I hope this description is enough.
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 19819] New: Small bug in TranslateCharsetInfo