Module: wine Branch: master Commit: fac8e957c53b5ffeed690c782cc0bd34e07c8438 URL: http://source.winehq.org/git/wine.git/?a=commit;h=fac8e957c53b5ffeed690c782c...
Author: Dylan Smith dylan.ah.smith@gmail.com Date: Tue Sep 30 17:11:29 2008 -0400
richedit: Prevent font or colour buffer overflow on stream out.
Static sized buffers are used for storing the colours and fonts, so there needs to be a check to prevent these buffer from overflowing.
---
dlls/riched20/writer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/dlls/riched20/writer.c b/dlls/riched20/writer.c index 912cae3..6a6ad54 100644 --- a/dlls/riched20/writer.c +++ b/dlls/riched20/writer.c @@ -214,7 +214,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun, if (table[i].bCharSet == bCharSet && (table[i].szFaceName == face || !lstrcmpW(table[i].szFaceName, face))) break; - if (i == pStream->nFontTblLen) { + if (i == pStream->nFontTblLen && i < STREAMOUT_FONTTBL_SIZE) { table[i].bCharSet = bCharSet; table[i].szFaceName = face; pStream->nFontTblLen++; @@ -226,7 +226,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun, for (i = 1; i < pStream->nColorTblLen; i++) if (pStream->colortbl[i] == crColor) break; - if (i == pStream->nColorTblLen) { + if (i == pStream->nColorTblLen && i < STREAMOUT_COLORTBL_SIZE) { pStream->colortbl[i] = crColor; pStream->nColorTblLen++; } @@ -236,7 +236,7 @@ ME_StreamOutRTFFontAndColorTbl(ME_OutStream *pStream, ME_DisplayItem *pFirstRun, for (i = 1; i < pStream->nColorTblLen; i++) if (pStream->colortbl[i] == crColor) break; - if (i == pStream->nColorTblLen) { + if (i == pStream->nColorTblLen && i < STREAMOUT_COLORTBL_SIZE) { pStream->colortbl[i] = crColor; pStream->nColorTblLen++; }