[PATCH 0/2] MR2818: quartz, setupapi: Avoid reading past the end of a buffer (Valgrind).
From: Rémi Bernon rbernon@codeweavers.com
--- dlls/quartz/filtermapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/quartz/filtermapper.c b/dlls/quartz/filtermapper.c index 149bc8d1716..dd7c6c41872 100644 --- a/dlls/quartz/filtermapper.c +++ b/dlls/quartz/filtermapper.c @@ -425,7 +425,7 @@ static int add_data(struct Vector *v, const void *pData, int size) static int find_data(const struct Vector *v, const void *pData, int size) { int index; - for (index = 0; index < v->current; index++) + for (index = 0; index + size <= v->current; index++) if (!memcmp(v->pData + index, pData, size)) return index; /* not found */
From: Rémi Bernon rbernon@codeweavers.com
--- dlls/setupapi/devinst.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dlls/setupapi/devinst.c b/dlls/setupapi/devinst.c index ef7b4dccf0d..6c4a6e68b4d 100644 --- a/dlls/setupapi/devinst.c +++ b/dlls/setupapi/devinst.c @@ -4610,7 +4610,8 @@ static BOOL device_matches_id(const struct device *device, const WCHAR *id_type, device_ids = heap_alloc(size); if (!RegGetValueW(device->key, NULL, id_type, RRF_RT_REG_MULTI_SZ, NULL, device_ids, &size)) { - for (p = device_ids, i = 0; *p; p += lstrlenW(p) + 1, i++) + char *end = (char *)device_ids + size; + for (p = device_ids, i = 0; (char *)p + sizeof(WCHAR) <= end && *p; p += lstrlenW(p) + 1, i++) { if (!wcsicmp(p, id)) {
We should only be able to overread in device_matches_id() if the string wasn't properly double-null-terminated. When can that happen?
-
Rémi Bernon -
Rémi Bernon (@rbernon)
-
Zebediah Figura (@zfigura)