Author: tfaber Date: Mon Jan 30 13:15:41 2017 New Revision: 73633 URL: http://svn.reactos.org/svn/reactos?rev=73633&view=rev Log: [FRAMEDYN] - Fix integer overflow checks. CID 1101981, 1248380, 1248381 Modified: trunk/reactos/dll/win32/framedyn/chstring.cpp Modified: trunk/reactos/dll/win32/framedyn/chstring.cpp URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/framedyn/chstrin… ============================================================================== --- trunk/reactos/dll/win32/framedyn/chstring.cpp [iso-8859-1] (original) +++ trunk/reactos/dll/win32/framedyn/chstring.cpp [iso-8859-1] Mon Jan 30 13:15:41 2017 @@ -288,7 +288,7 @@ } // Nor too big - if (nSize > INT_MAX) + if (nSize > (INT_MAX - (int)sizeof(CHStringData)) / (int)sizeof(WCHAR)) { RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0); } @@ -442,7 +442,7 @@ } // Ensure we wouldn't overflow with the concat - if (GetData()->nDataLength + nSrcLen > INT_MAX) + if (GetData()->nDataLength > INT_MAX - nSrcLen) { RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0); } @@ -461,7 +461,7 @@ else { // Ensure we don't overflow - if (nSrcLen > INT_MAX) + if (nSrcLen > INT_MAX - GetData()->nDataLength) { RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0); }