Piotr Caban (@piotr) commented about dlls/winspool.drv/info.c:
int i; if (!dm) return FALSE;
- if (!dm->dmSize || size < dm->dmSize) return FALSE;
It's not safe to check `dm->dmSize` field before validating that `size` is big enough so we can read it. Also there needs to be enough room for `dm->dmSize + dm->dmDriverExtra`. Current implementation will also behave incorrectly if `dm->dmSize` is 1 (it should also fail in this case).
I think about something along these lines (not tested): ```c if (!dm) return FALSE; if (size < FIELD_OFFSET(DEVMODEW, dmFields)) return FALSE; if (dm->dmSize < FIELD_OFFSET(DEVMODEW, dmFields) + sizeof(dm->dmFields) || dm->dmSize + dm->dmDriverExtra > size) return FALSE;
for (i = 0; i < ARRAY_SIZE(map); i++) if ((dm->dmFields & map[i].flag) && dm->dmSize < map[i].size) return FALSE;
return TRUE; ```