[PATCH v5 0/1] MR5727: riched20: In EM_SETPARAFORMAT protect against out of bound cTabStop values
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56730
-- v5: riched20: In para_set_fmt protect against out of bound cTabStop values
From: Fabian Maurer dark.shadow4@web.de
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56730 --- dlls/riched20/para.c | 5 +++-- dlls/riched20/tests/editor.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/dlls/riched20/para.c b/dlls/riched20/para.c index a380f45e556..2c9e2892189 100644 --- a/dlls/riched20/para.c +++ b/dlls/riched20/para.c @@ -486,8 +486,9 @@ static BOOL para_set_fmt( ME_TextEditor *editor, ME_Paragraph *para, const PARAF COPY_FIELD(PFM_ALIGNMENT, wAlignment); if (dwMask & PFM_TABSTOPS) { - para->fmt.cTabCount = pFmt->cTabCount; - memcpy(para->fmt.rgxTabs, pFmt->rgxTabs, pFmt->cTabCount*sizeof(LONG)); + /* Clamp between 0 and MAX_TAB_STOPS */ + para->fmt.cTabCount = max(0, min(pFmt->cTabCount, MAX_TAB_STOPS)); + memcpy(para->fmt.rgxTabs, pFmt->rgxTabs, para->fmt.cTabCount * sizeof(LONG)); }
#define EFFECTS_MASK (PFM_RTLPARA|PFM_KEEP|PFM_KEEPNEXT|PFM_PAGEBREAKBEFORE| \ diff --git a/dlls/riched20/tests/editor.c b/dlls/riched20/tests/editor.c index f8abb7a3e65..19cd40aea48 100644 --- a/dlls/riched20/tests/editor.c +++ b/dlls/riched20/tests/editor.c @@ -8802,6 +8802,35 @@ static void test_alignment_style(void) SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); ok(pf.wAlignment == align_mask[i], "got %d expect %ld\n", pf.wAlignment, align_mask[i]);
+ /* Test out of bounds tab count */ + pf.dwMask = PFM_TABSTOPS; + pf.cTabCount = -25000; + SendMessageW(richedit, EM_SETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == -25000, "Got %d\n", pf.cTabCount); + SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 0, "Got %d\n", pf.cTabCount); + pf.dwMask = PFM_TABSTOPS; + pf.cTabCount = 25000; + SendMessageW(richedit, EM_SETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 25000, "Got %d\n", pf.cTabCount); + SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 32, "Got %d\n", pf.cTabCount); + pf.dwMask = PFM_TABSTOPS; + pf.cTabCount = 32; + SendMessageW(richedit, EM_SETPARAFORMAT, 0, (LPARAM)&pf); + SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 32, "Got %d\n", pf.cTabCount); + pf.dwMask = PFM_TABSTOPS; + pf.cTabCount = 33; + SendMessageW(richedit, EM_SETPARAFORMAT, 0, (LPARAM)&pf); + SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 32, "Got %d\n", pf.cTabCount); + pf.dwMask = PFM_TABSTOPS; + pf.cTabCount = 1; + SendMessageW(richedit, EM_SETPARAFORMAT, 0, (LPARAM)&pf); + SendMessageW(richedit, EM_GETPARAFORMAT, 0, (LPARAM)&pf); + ok(pf.cTabCount == 1, "Got %d\n", pf.cTabCount); + DestroyWindow(richedit); }
Hi,
It looks like your patch introduced the new failures shown below. Please investigate and fix them before resubmitting your patch. If they are not new, fixing them anyway would help a lot. Otherwise please ask for the known failures list to be updated.
The tests also ran into some preexisting test failures. If you know how to fix them that would be helpful. See the TestBot job for the details:
The full results can be found at: https://testbot.winehq.org/JobDetails.pl?Key=145878
Your paranoid android.
=== debian11b (64 bit WoW report) ===
user32: input.c:4067: Test succeeded inside todo block: button_down_hwnd_todo 1: got MSG_TEST_WIN hwnd 00000000011900EC, msg WM_LBUTTONDOWN, wparam 0x1, lparam 0x320032
This merge request was approved by Huw Davies.
-
Fabian Maurer -
Fabian Maurer (@DarkShadow44)
-
Huw Davies (@huw)
-
Marvin