[tfaber] 73633: [FRAMEDYN] - Fix integer overflow checks. CID 1101981, 1248380, 1248381 - Ros-diffs

30 Jan 2017

Author: tfaber
Date: Mon Jan 30 13:15:41 2017
New Revision: 73633
URL: http://svn.reactos.org/svn/reactos?rev=73633&view=rev
Log:
[FRAMEDYN]
- Fix integer overflow checks. CID 1101981, 1248380, 1248381
Modified:
    trunk/reactos/dll/win32/framedyn/chstring.cpp
Modified: trunk/reactos/dll/win32/framedyn/chstring.cpp
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/framedyn/chstring...
==============================================================================

--- trunk/reactos/dll/win32/framedyn/chstring.cpp	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/framedyn/chstring.cpp	[iso-8859-1] Mon Jan 30 13:15:41 2017
@@ -288,7 +288,7 @@
     }
// Nor too big
-    if (nSize > INT_MAX)
+    if (nSize > (INT_MAX - (int)sizeof(CHStringData)) / (int)sizeof(WCHAR))
     {
         RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
     }
@@ -442,7 +442,7 @@
     }
// Ensure we wouldn't overflow with the concat
-    if (GetData()->nDataLength + nSrcLen > INT_MAX)
+    if (GetData()->nDataLength > INT_MAX - nSrcLen)
     {
         RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
     }
@@ -461,7 +461,7 @@
     else
     {
         // Ensure we don't overflow
-        if (nSrcLen > INT_MAX)
+        if (nSrcLen > INT_MAX - GetData()->nDataLength)
         {
             RaiseException(STATUS_INTEGER_OVERFLOW, EXCEPTION_NONCONTINUABLE, 0, 0);
         }

    