Author: tfaber
Date: Mon Jan 30 13:15:41 2017
New Revision: 73633
URL:
http://svn.reactos.org/svn/reactos?rev=73633&view=rev
Log:
[FRAMEDYN]
- Fix integer overflow checks. CID 1101981, 1248380, 1248381
Modified:
trunk/reactos/dll/win32/framedyn/chstring.cpp
Modified: trunk/reactos/dll/win32/framedyn/chstring.cpp
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/framedyn/chstrin…
==============================================================================
--- trunk/reactos/dll/win32/framedyn/chstring.cpp [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/framedyn/chstring.cpp [iso-8859-1] Mon Jan 30 13:15:41 2017
@@ -288,7 +288,7 @@
}
// Nor too big
- if (nSize > INT_MAX)
+ if (nSize > (INT_MAX - (int)sizeof(CHStringData)) / (int)sizeof(WCHAR))
{
RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
}
@@ -442,7 +442,7 @@
}
// Ensure we wouldn't overflow with the concat
- if (GetData()->nDataLength + nSrcLen > INT_MAX)
+ if (GetData()->nDataLength > INT_MAX - nSrcLen)
{
RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
}
@@ -461,7 +461,7 @@
else
{
// Ensure we don't overflow
- if (nSrcLen > INT_MAX)
+ if (nSrcLen > INT_MAX - GetData()->nDataLength)
{
RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
}