https://bugs.winehq.org/show_bug.cgi?id=49279
Bug ID: 49279 Summary: Possible array out of bounds in mci.c Product: Wine Version: 5.9 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: winmm&mci Assignee: wine-bugs@winehq.org Reporter: mikrutrafal54@gmail.com Distribution: ---
Trace can use invalid memory, because index are checked after use.
``` TRACE("Dumping cmdTbl=%d [lpTable=%p devType=%d]\n", uTbl, S_MciCmdTable[uTbl].lpTable, S_MciCmdTable[uTbl].uDevType);
if (uTbl >= MAX_MCICMDTABLE || !S_MciCmdTable[uTbl].lpTable) return FALSE; ```
https://github.com/wine-mirror/wine/blob/6d801377055911d914226a3c6af8d8637a6...
https://bugs.winehq.org/show_bug.cgi?id=49279
Sagawa sagawa.aki+winebugs@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sagawa.aki+winebugs@gmail.c | |om
--- Comment #1 from Sagawa sagawa.aki+winebugs@gmail.com ---
From my point of view, 'uTbl >= MAX_MCICMDTABLE' is redundant.
The function's uTbl argument originated from MCI_DumpCommandTable()'s argument. MCI_DumpCommandTable() is called inside a for loop and its argument range is [0..MAX_MCICMDTABLE). Thus, it never exceeds MAX_MCICMDTABLE.
-
WineHQ Bugzilla