Author: tfaber
Date: Thu May 1 19:44:30 2014
New Revision: 63096
URL:
http://svn.reactos.org/svn/reactos?rev=63096&view=rev
Log:
[USP10]
- Fix buffer overflow in _ItemizeInternal
CORE-8133 #resolve
Modified:
trunk/reactos/dll/win32/usp10/usp10.c
Modified: trunk/reactos/dll/win32/usp10/usp10.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/usp10/usp10.c?re…
==============================================================================
--- trunk/reactos/dll/win32/usp10/usp10.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/usp10/usp10.c [iso-8859-1] Thu May 1 19:44:30 2014
@@ -1605,12 +1605,12 @@
* item is set up to prevent random behaviour if the caller erroneously
* checks the n+1 structure */
index++;
+ if (index + 1 > cMaxItems) return E_OUTOFMEMORY;
memset(&pItems[index].a, 0, sizeof(SCRIPT_ANALYSIS));
TRACE("index=%d cnt=%d iCharPos=%d\n", index, cnt,
pItems[index].iCharPos);
/* Set one SCRIPT_STATE item being returned */
- if (index + 1 > cMaxItems) return E_OUTOFMEMORY;
if (pcItems) *pcItems = index;
/* Set SCRIPT_ITEM */