Rob Shearman : kernel32: Protect global alloc functions against integer overflows on the size parameter .
Module: wine Branch: master Commit: c3b4fe391986737c1c41f33d1e5f9937388f7c9b URL: http://source.winehq.org/git/wine.git/?a=commit;h=c3b4fe391986737c1c41f33d1e...
Author: Rob Shearman rob@codeweavers.com Date: Sun Dec 17 23:47:06 2006 +0000
kernel32: Protect global alloc functions against integer overflows on the size parameter.
---
dlls/kernel32/heap.c | 20 ++++++++++++++++++-- 1 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/dlls/kernel32/heap.c b/dlls/kernel32/heap.c index 5d7f61c..44545cd 100644 --- a/dlls/kernel32/heap.c +++ b/dlls/kernel32/heap.c @@ -365,6 +365,12 @@ HGLOBAL WINAPI GlobalAlloc( } else /* HANDLE */ { + if (size > INT_MAX-HGLOBAL_STORAGE) + { + SetLastError(ERROR_OUTOFMEMORY); + return 0; + } + RtlLockHeap(GetProcessHeap());
pintern = HeapAlloc(GetProcessHeap(), 0, sizeof(GLOBAL32_INTERN)); @@ -658,7 +664,12 @@ HGLOBAL WINAPI GlobalReAlloc( hnew=hmem; if(pintern->Pointer) { - if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags, + if(size > INT_MAX-HGLOBAL_STORAGE) + { + SetLastError(ERROR_OUTOFMEMORY); + hnew = 0; + } + else if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags, (char *) pintern->Pointer-HGLOBAL_STORAGE, size+HGLOBAL_STORAGE)) == NULL) hnew = 0; /* Block still valid */ @@ -667,7 +678,12 @@ HGLOBAL WINAPI GlobalReAlloc( } else { - if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE)) + if(size > INT_MAX-HGLOBAL_STORAGE) + { + SetLastError(ERROR_OUTOFMEMORY); + hnew = 0; + } + else if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE)) == NULL) hnew = 0; else
-
Alexandre Julliard