https://git.reactos.org/?p=reactos.git;a=commitdiff;h=bc9f3ed887861dfcc935a… commit bc9f3ed887861dfcc935ab077eaeea38b4cf1b1d Author: Katayama Hirofumi MZ &lt;katayama.hirofumi.mz(a)gmail.com&gt; AuthorDate: Thu Apr 11 17:57:57 2019 +0900 Commit: GitHub &lt;noreply(a)github.com&gt; CommitDate: Thu Apr 11 17:57:57 2019 +0900 [GDI32][NTGDI] Avoid integer overflow (follow-up of #1492) (#1495) Follow up of #1492. CORE-15755 - Use RtlULongMult function to check integer overflows. --- win32ss/gdi/gdi32/include/precomp.h | 1 + win32ss/gdi/gdi32/objects/font.c | 12 ++++++++++-- win32ss/gdi/ntgdi/freetype.c | 13 ++++++++----- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/win32ss/gdi/gdi32/include/precomp.h b/win32ss/gdi/gdi32/include/precomp.h index 5f8614b3a92..3d4b823c2fe 100644 --- a/win32ss/gdi/gdi32/include/precomp.h +++ b/win32ss/gdi/gdi32/include/precomp.h @@ -58,5 +58,6 @@ #include <ntgdibad.h> #include <undocgdi.h> +#include <ntintsafe.h> #endif /* _GDI32_PCH_ */ diff --git a/win32ss/gdi/gdi32/objects/font.c b/win32ss/gdi/gdi32/objects/font.c index e20c0702fb9..1b6cfa7296f 100644 --- a/win32ss/gdi/gdi32/objects/font.c +++ b/win32ss/gdi/gdi32/objects/font.c @@ -295,7 +295,9 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar ENUMLOGFONTEXA EnumLogFontExA; NEWTEXTMETRICEXA NewTextMetricExA; LOGFONTW lfW; - LONG DataSize, InfoCount; + LONG InfoCount; + ULONG DataSize; + NTSTATUS Status; DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO); Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize); @@ -330,7 +332,13 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar if (INITIAL_FAMILY_COUNT < InfoCount) { RtlFreeHeap(GetProcessHeap(), 0, Info); - DataSize = InfoCount * sizeof(FONTFAMILYINFO); + + Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize); + if (!NT_SUCCESS(Status) || DataSize > LONG_MAX) + { + DPRINT1("Overflowed.\n"); + return 1; + } Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize); if (Info == NULL) { diff --git a/win32ss/gdi/ntgdi/freetype.c b/win32ss/gdi/ntgdi/freetype.c index 298c1fa12ca..2f699cdacbe 100644 --- a/win32ss/gdi/ntgdi/freetype.c +++ b/win32ss/gdi/ntgdi/freetype.c @@ -5456,7 +5456,8 @@ NtGdiGetFontFamilyInfo(HDC Dc, NTSTATUS Status; LOGFONTW LogFont; PFONTFAMILYINFO Info; - LONG GotCount, AvailCount, DataSize, SafeInfoCount; + LONG GotCount, AvailCount, SafeInfoCount; + ULONG DataSize; if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL) { @@ -5490,9 +5491,10 @@ NtGdiGetFontFamilyInfo(HDC Dc, } /* Allocate space for a safe copy */ - DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO); - if (DataSize <= 0) + Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize); + if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX) { + DPRINT1("Overflowed.\n"); EngSetLastError(ERROR_INVALID_PARAMETER); return -1; } @@ -5511,9 +5513,10 @@ NtGdiGetFontFamilyInfo(HDC Dc, /* Return data to caller */ if (GotCount > 0) { - DataSize = GotCount * sizeof(FONTFAMILYINFO); - if (DataSize <= 0) + Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize); + if (!NT_SUCCESS(Status) || DataSize > LONG_MAX) { + DPRINT1("Overflowed.\n"); ExFreePoolWithTag(Info, GDITAG_TEXT); EngSetLastError(ERROR_INVALID_PARAMETER); return -1;