Michał Janiszewski : ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap. - wine-commits

10 Jul 2018

Module: wine
Branch: master
Commit: 3d5d8903b89803f5b2ec12a2d20ae9a171047fdc
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=3d5d8903b89803f5b2ec12a2d...
Author: Michał Janiszewski janisozaur@gmail.com
Date:   Sun Jul  8 21:57:43 2018 +0200
ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap.
This can be happen in sample arrays (hex):
FindSetRun:   00 00 00 00 00 00 00 ff
FindClearRun: ff ff ff ff ff ff ff 00
Signed-off-by: Michał Janiszewski janisozaur@gmail.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/ntdll/rtlbitmap.c       | 12 ++++++++++++
 dlls/ntdll/tests/rtlbitmap.c |  2 --
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/rtlbitmap.c b/dlls/ntdll/rtlbitmap.c
index 20108f5..d0a4e5c 100644
--- a/dlls/ntdll/rtlbitmap.c
+++ b/dlls/ntdll/rtlbitmap.c
@@ -731,6 +731,12 @@ static ULONG NTDLL_FindSetRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSize)
       return ~0U;
   }
+  /* Check if reached the end of bitmap */
+  if (ulStart >= lpBits->SizeOfBitMap) {
+    *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+    return ulFoundAt;
+  }
+
   /* Count blocks of 8 set bits */
   while (*lpOut == 0xff)
   {
@@ -822,6 +828,12 @@ static ULONG NTDLL_FindClearRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSiz
       return ~0U;
   }
+  /* Check if reached the end of bitmap */
+  if (ulStart >= lpBits->SizeOfBitMap) {
+    *lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
+    return ulFoundAt;
+  }
+
   /* Count blocks of 8 clear bits */
   while (!*lpOut)
   {
diff --git a/dlls/ntdll/tests/rtlbitmap.c b/dlls/ntdll/tests/rtlbitmap.c
index 10ee5f6..3c3992e 100644
--- a/dlls/ntdll/tests/rtlbitmap.c
+++ b/dlls/ntdll/tests/rtlbitmap.c
@@ -635,7 +635,6 @@ static void test_RtlFindNextForwardRunSet(void)
pRtlInitializeBitMap(&bm, mask, 62);
   ulCount = pRtlFindNextForwardRunSet(&bm, ulStart, &lpPos);
-  todo_wine
   ok(ulCount == 6, "Invalid length of found set run: %d, expected 6\n", ulCount);
   ok(lpPos == 56, "Invalid position of found set run: %d, expected 56\n", lpPos);
 }
@@ -650,7 +649,6 @@ static void test_RtlFindNextForwardRunClear(void)
pRtlInitializeBitMap(&bm, mask, 62);
   ulCount = pRtlFindNextForwardRunClear(&bm, ulStart, &lpPos);
-  todo_wine
   ok(ulCount == 6, "Invalid length of found clear run: %d, expected 6\n", ulCount);
   ok(lpPos == 56, "Invalid position of found clear run: %d, expected 56\n", lpPos);
 }

    