Hi Dylan, commit 11c80396995065701205f2facb3dba10a6f8170f[1] introduced a buffer overrun in riched20's editor.c. Here's the hunk that did it:
@@ -666,35 +661,83 @@ static void ME_RTFParAttrHook(RTF_Info *info)
static void ME_RTFTblAttrHook(RTF_Info *info) { - ME_DisplayItem *para; - switch (info->rtfMinor) { case rtfRowDef: - RTFFlushOutputBuffer(info); - para = ME_GetParagraph(info->editor->pCursors[0].pRun); - - /* Release possibly inherited cell definitions */ - ME_DestroyTableCellList(para); - - para->member.para.pCells = ALLOC_OBJ(ME_TableCell); - para->member.para.pCells->nRightBoundary = 0; - para->member.para.pCells->next = NULL; - para->member.para.pLastCell = para->member.para.pCells; + if (!info->tableDef) + info->tableDef = ALLOC_OBJ(RTFTable); + ZeroMemory(info->tableDef, sizeof(RTFTable)); break; case rtfCellPos: + if (!info->tableDef) + { + info->tableDef = ALLOC_OBJ(RTFTable); + ZeroMemory(info->tableDef, sizeof(RTFTable)); + } + if (info->tableDef->numCellsDefined >= MAX_TABLE_CELLS) + break; + info->tableDef->cells[info->tableDef->numCellsDefined].rightBoundary = info->rtfParam; + { + /* Tab stops store the cell positions. */ + ME_DisplayItem *para = ME_GetParagraph(info->editor->pCursors[0].pRun); + PARAFORMAT2 *pFmt = para->member.para.pFmt; + int cellNum = info->tableDef->numCellsDefined; + pFmt->rgxTabs[cellNum] &= ~0x00FFFFFF; + pFmt->rgxTabs[cellNum] = 0x00FFFFFF & info->rtfParam; The trouble is, numCellsDefined is only guaranteed to be less than MAX_TABLE_CELLS (defined as 63 in include/richedit.h), while rgxTabs is of size MAX_TAB_STOPS, or 32.
I'm not sure what the correct fix is. Would you mind having a look? For what it's worth, this is Coverity id 727.
Thanks, --Juan
1: http://source.winehq.org/git/wine.git/?a=commit;h=11c80396995065701205f2facb...
On Thu, Sep 11, 2008 at 4:30 PM, Juan Lang juan.lang@gmail.com wrote:
Hi Dylan, commit 11c80396995065701205f2facb3dba10a6f8170f[1] introduced a buffer overrun in riched20's editor.c.
Thanks for pointing out the problem.
I sent a patch to wine-patches that fixes the problem.
http://www.winehq.org/pipermail/wine-patches/2008-September/061453.html