On Friday, 9 November 2018 18:50:43 CET Nikolay Sivov wrote:
On 11/9/18 4:21 PM, Wolfgang Walter wrote:
if(table->MS_tag == MS_MAKE_TAG('g','d','i','r')) return TRUE; table->len = GetFontData(hdc, table->MS_tag, 0, NULL, 0);
- table->check = 0;
- if(table->len == GDI_ERROR) {
table->len = 0;return TRUE;- }
- if(table->len > (0xfffffffflu - 3)) {
table->len = 0;return FALSE;- }
What is the second condition for?
The code which follows is:
table->data = HeapAlloc(GetProcessHeap(), 0, (table->len + 3) & ~3 ); memset(table->data + ((table->len - 1) & ~3), 0, sizeof(DWORD)); GetFontData(hdc, table->MS_tag, 0, table->data, table->len); for(i = 0; i < (table->len + 3) / 4; i++) table->check += FLIP_ORDER(*((DWORD*)(table->data) + i));
If table->len (which itself is a DWORD) gets bigger than 0xfffffffflu - 3 it will overflow in (table->len + 3) and HeapAlloc does not allocate as much memory as expected.
The whole thing will then be inconsistent and I thought therefor one should no rely that a) wine will handle that gracefully and b) that there is no such font embedded in pdfs.
Regards,