https://git.reactos.org/?p=reactos.git;a=commitdiff;h=bc9f3ed887861dfcc935a…
commit bc9f3ed887861dfcc935ab077eaeea38b4cf1b1d
Author: Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com>
AuthorDate: Thu Apr 11 17:57:57 2019 +0900
Commit: GitHub <noreply(a)github.com>
CommitDate: Thu Apr 11 17:57:57 2019 +0900
[GDI32][NTGDI] Avoid integer overflow (follow-up of #1492) (#1495)
Follow up of #1492. CORE-15755
- Use RtlULongMult function to check integer overflows.
---
win32ss/gdi/gdi32/include/precomp.h | 1 +
win32ss/gdi/gdi32/objects/font.c | 12 ++++++++++--
win32ss/gdi/ntgdi/freetype.c | 13 ++++++++-----
3 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/win32ss/gdi/gdi32/include/precomp.h b/win32ss/gdi/gdi32/include/precomp.h
index 5f8614b3a92..3d4b823c2fe 100644
--- a/win32ss/gdi/gdi32/include/precomp.h
+++ b/win32ss/gdi/gdi32/include/precomp.h
@@ -58,5 +58,6 @@
#include <ntgdibad.h>
#include <undocgdi.h>
+#include <ntintsafe.h>
#endif /* _GDI32_PCH_ */
diff --git a/win32ss/gdi/gdi32/objects/font.c b/win32ss/gdi/gdi32/objects/font.c
index e20c0702fb9..1b6cfa7296f 100644
--- a/win32ss/gdi/gdi32/objects/font.c
+++ b/win32ss/gdi/gdi32/objects/font.c
@@ -295,7 +295,9 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc,
LPARAM lPar
ENUMLOGFONTEXA EnumLogFontExA;
NEWTEXTMETRICEXA NewTextMetricExA;
LOGFONTW lfW;
- LONG DataSize, InfoCount;
+ LONG InfoCount;
+ ULONG DataSize;
+ NTSTATUS Status;
DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
@@ -330,7 +332,13 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc,
LPARAM lPar
if (INITIAL_FAMILY_COUNT < InfoCount)
{
RtlFreeHeap(GetProcessHeap(), 0, Info);
- DataSize = InfoCount * sizeof(FONTFAMILYINFO);
+
+ Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
+ {
+ DPRINT1("Overflowed.\n");
+ return 1;
+ }
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
if (Info == NULL)
{
diff --git a/win32ss/gdi/ntgdi/freetype.c b/win32ss/gdi/ntgdi/freetype.c
index 298c1fa12ca..2f699cdacbe 100644
--- a/win32ss/gdi/ntgdi/freetype.c
+++ b/win32ss/gdi/ntgdi/freetype.c
@@ -5456,7 +5456,8 @@ NtGdiGetFontFamilyInfo(HDC Dc,
NTSTATUS Status;
LOGFONTW LogFont;
PFONTFAMILYINFO Info;
- LONG GotCount, AvailCount, DataSize, SafeInfoCount;
+ LONG GotCount, AvailCount, SafeInfoCount;
+ ULONG DataSize;
if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
{
@@ -5490,9 +5491,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
}
/* Allocate space for a safe copy */
- DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO);
- if (DataSize <= 0)
+ Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX)
{
+ DPRINT1("Overflowed.\n");
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;
}
@@ -5511,9 +5513,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
/* Return data to caller */
if (GotCount > 0)
{
- DataSize = GotCount * sizeof(FONTFAMILYINFO);
- if (DataSize <= 0)
+ Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
{
+ DPRINT1("Overflowed.\n");
ExFreePoolWithTag(Info, GDITAG_TEXT);
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;