Module: wine Branch: master Commit: a9e5a02a20a2b11edf0949c5bb1c4dd6c5297644 URL: http://source.winehq.org/git/wine.git/?a=commit;h=a9e5a02a20a2b11edf0949c5bb...

Author: Henri Verbeet hverbeet@codeweavers.com Date: Thu Mar 9 10:37:04 2017 +0100

wined3d: Validate instruction lengths in shader_sm4_read_instruction() (AFL).

Signed-off-by: Henri Verbeet hverbeet@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org

---

dlls/wined3d/shader_sm4.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)

diff --git a/dlls/wined3d/shader_sm4.c b/dlls/wined3d/shader_sm4.c index bd974a2..8986d35 100644 --- a/dlls/wined3d/shader_sm4.c +++ b/dlls/wined3d/shader_sm4.c @@ -1507,16 +1507,36 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi DWORD opcode_token, opcode, previous_token; struct wined3d_sm4_data *priv = data; unsigned int i, len; + SIZE_T remaining; const DWORD *p;

list_move_head(&priv->src_free, &priv->src);

+ if (*ptr >= priv->end) + { + WARN("End of byte-code, failed to read opcode.\n"); + goto fail; + } + remaining = priv->end - *ptr; + opcode_token = *(*ptr)++; opcode = opcode_token & WINED3D_SM4_OPCODE_MASK;

len = ((opcode_token & WINED3D_SM4_INSTRUCTION_LENGTH_MASK) >> WINED3D_SM4_INSTRUCTION_LENGTH_SHIFT); if (!len) + { + if (remaining < 2) + { + WARN("End of byte-code, failed to read length token.\n"); + goto fail; + } len = **ptr; + } + if (!len || remaining < len) + { + WARN("Read invalid length %u (remaining %lu).\n", len, remaining); + goto fail; + } --len;

if (TRACE_ON(d3d_bytecode)) @@ -1589,6 +1609,13 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi } } } + + return; + +fail: + *ptr = priv->end; + ins->handler_idx = WINED3DSIH_TABLE_SIZE; + return; }

static BOOL shader_sm4_is_end(void *data, const DWORD **ptr)