[PATCH 0/2] MR8596: dsound: Check if 'cbPropData' for DSPROPERTY_Description1 is large enough
Avoid writing out of bounds.
Signed-off-by: YeshunYe yeyeshun@uniontech.com
From: YeshunYe yeyeshun@uniontech.com
Avoid writing out of bounds.
Signed-off-by: YeshunYe yeyeshun@uniontech.com --- dlls/dsound/propset.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/dlls/dsound/propset.c b/dlls/dsound/propset.c index be284a6dda5..28df7887f65 100644 --- a/dlls/dsound/propset.c +++ b/dlls/dsound/propset.c @@ -475,6 +475,8 @@ static HRESULT DSPROPERTY_Description1( *pcbReturned = sizeof(*ppd); if (!pPropData) return S_OK; + if (cbPropData < sizeof(*ppd)) + return E_INVALIDARG;
data.DeviceId = ppd->DeviceId; data.DataFlow = ppd->DataFlow;
From: YeshunYe yeyeshun@uniontech.com
Signed-off-by: YeshunYe yeyeshun@uniontech.com --- dlls/dsound/tests/propset.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/dlls/dsound/tests/propset.c b/dlls/dsound/tests/propset.c index 71040a70c77..659a9694851 100644 --- a/dlls/dsound/tests/propset.c +++ b/dlls/dsound/tests/propset.c @@ -300,6 +300,20 @@ static void propset_private_tests(void) "Shouldn't be able to set DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_1: " "support = 0x%lx\n",support);
+ if (support & KSPROPERTY_SUPPORT_GET) { + struct + { + GUID DeviceId; + int reserved; + } data; + ULONG bytes; + data.DeviceId = DSDEVID_DefaultPlayback; + + rc = IKsPropertySet_Get(pps, &DSPROPSETID_DirectSoundDevice, + DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_1, + NULL, 0, &data, sizeof(data), &bytes); + ok(rc==E_INVALIDARG, "Query buffer size failed: 0x%lx\n",rc); + } /* test DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_A */ rc = IKsPropertySet_QuerySupport(pps, &DSPROPSETID_DirectSoundDevice, DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_A,
Is there an application that needs this?
On Mon Jul 21 00:51:15 2025 +0000, Huw Davies wrote:
Is there an application that needs this?
When I ran KuGou Music using Wine, since the builtin quartz was missing a COM interface, I set it to native instead. After doing this, the program could continue running, but it caused a stack corruption error.
Through continuous log analysis, the error was traced to a call to IKsPrivatePropertySetImpl_Get in native quartz, with parameter combinations exactly like those shown in my test case.
Huw Davies (@huw) commented about dlls/dsound/tests/propset.c:
"Shouldn't be able to set DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_1: " "support = 0x%lx\n",support);
- if (support & KSPROPERTY_SUPPORT_GET) {
struct{GUID DeviceId;int reserved;} data;
Could we just use `DSPROPERTY_DIRECTSOUNDDEVICE_DESCRIPTION_1_DATA` here and pass `sizeof(data) - 1` to the method call? Let's also pass the correct size and test for success.
-
Huw Davies (@huw) -
Yeshun Ye (@yeyeshun)
-
YeshunYe