[PATCH 0/1] MR2696: ntdll: Avoid integer overflow in block_get_subheap(). - wine-gitlab - winehq.org

List overview All Threads

[PATCH 0/1] MR2696: ntdll: Avoid integer overflow in block_get_subheap().

[PATCH v10 0/2] MR566: shell32:...

[PATCH 0/1] MR2686: ntdll: Mind...

Paul Gofman (＠gofman)

22 Apr 2023 22 Apr '23

1:22 a.m.

'block->base_offset * REGION_ALIGN' overflows once WORD base_offset value reaches 0x8000, so block_get_subheap() returns wrong address.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/2696

Show replies by date

Paul Gofman

22 Apr 22 Apr

1:22 a.m.

New subject: [PATCH 1/1] ntdll: Avoid integer overflow in block_get_subheap().

From: Paul Gofman pgofman@codeweavers.com

--- dlls/ntdll/heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/ntdll/heap.c b/dlls/ntdll/heap.c index 7547ac50f61..5c882def50e 100644 --- a/dlls/ntdll/heap.c +++ b/dlls/ntdll/heap.c @@ -357,7 +357,7 @@ static inline void block_set_type( struct block *block, UINT type ) static inline SUBHEAP *block_get_subheap( const struct heap *heap, const struct block *block ) { char *offset = ROUND_ADDR( block, REGION_ALIGN - 1 ); - void *base = offset - block->base_offset * REGION_ALIGN; + void *base = offset - (SIZE_T)block->base_offset * REGION_ALIGN; if (base != (void *)heap) return base; else return (SUBHEAP *)&heap->subheap; }

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/2696

Rémi Bernon (＠rbernon)

24 Apr 24 Apr

8:55 a.m.

New subject: [PATCH 0/1] MR2696: ntdll: Avoid integer overflow in block_get_subheap(). - approved

This merge request was approved by Rémi Bernon.

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/2696

654

Age (days ago)

656

Last active (days ago)

wine-gitlab@winehq.org

2 comments

3 participants

tags (0)

participants (3)

Paul Gofman
Paul Gofman (＠gofman)
Rémi Bernon (＠rbernon)