Henri Verbeet : wined3d: Validate parameter lengths in shader_sm4_read_param() (AFL).

31 May 2017

Module: wine
Branch: master
Commit: a61cfe0fd776cc84131901941a597c1147a605f3
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=a61cfe0fd776cc84131901941a...
Author: Henri Verbeet hverbeet@codeweavers.com
Date:   Wed May 31 11:07:05 2017 +0200
wined3d: Validate parameter lengths in shader_sm4_read_param() (AFL).
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/wined3d/shader_sm4.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/dlls/wined3d/shader_sm4.c b/dlls/wined3d/shader_sm4.c
index 07e206a..142c0f8 100644
--- a/dlls/wined3d/shader_sm4.c
+++ b/dlls/wined3d/shader_sm4.c
@@ -1370,8 +1370,14 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p
         enum wined3d_shader_src_modifier *modifier)
 {
     enum wined3d_sm4_register_type register_type;
-    DWORD token = *(*ptr)++;
-    DWORD order;
+    DWORD token, order;
+
+    if (*ptr >= end)
+    {
+        WARN("Invalid ptr %p >= end %p.\n", *ptr, end);
+        return FALSE;
+    }
+    token = *(*ptr)++;
register_type = (token & WINED3D_SM4_REGISTER_TYPE_MASK) >> WINED3D_SM4_REGISTER_TYPE_SHIFT;
     if (register_type >= sizeof(register_type_table) / sizeof(*register_type_table)
@@ -1388,7 +1394,14 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p
if (token & WINED3D_SM4_REGISTER_MODIFIER)
     {
-        DWORD m = *(*ptr)++;
+        DWORD m;
+
+        if (*ptr >= end)
+        {
+            WARN("Invalid ptr %p >= end %p.\n", *ptr, end);
+            return FALSE;
+        }
+        m = *(*ptr)++;
switch (m)
         {
@@ -1453,12 +1466,22 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p
         {
             case WINED3D_SM4_IMMCONST_SCALAR:
                 param->immconst_type = WINED3D_IMMCONST_SCALAR;
+                if (end - *ptr < 1)
+                {
+                    WARN("Invalid ptr %p, end %p.\n", *ptr, end);
+                    return FALSE;
+                }
                 memcpy(param->u.immconst_data, *ptr, 1 * sizeof(DWORD));
                 *ptr += 1;
                 break;
case WINED3D_SM4_IMMCONST_VEC4:
                 param->immconst_type = WINED3D_IMMCONST_VEC4;
+                if (end - *ptr < 4)
+                {
+                    WARN("Invalid ptr %p, end %p.\n", *ptr, end);
+                    return FALSE;
+                }
                 memcpy(param->u.immconst_data, *ptr, 4 * sizeof(DWORD));
                 *ptr += 4;
                 break;

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Henri Verbeet : wined3d: Validate parameter lengths in shader_sm4_read_param() (AFL).