Skip to content

W
wine-cw
Commit 3d5d8903 authored by Michał Janiszewski's avatar Michał Janiszewski Committed by Alexandre Julliard
Browse files
Options

ntdll: Prevent Find{Set, Clear}Run from reading past the end of bitmap.

This can be happen in sample arrays (hex): FindSetRun: 00 00 00 00 00 00 00 ff FindClearRun: ff ff ff ff ff ff ff 00 Signed-off-by: 's avatarMichał Janiszewski <janisozaur@gmail.com> Signed-off-by: 's avatarAlexandre Julliard <julliard@winehq.org>
parent 96106141
Show whitespace changes
Inline Side-by-side
Showing with 12 additions and 2 deletions
dlls/ntdll/rtlbitmap.c
View file @ 3d5d8903
...@@ -731,6 +731,12 @@ static ULONG NTDLL_FindSetRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSize) ...@@ -731,6 +731,12 @@ static ULONG NTDLL_FindSetRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSize)
return ~0U; return ~0U;
} }
/* Check if reached the end of bitmap */
if (ulStart >= lpBits->SizeOfBitMap) {
*lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
return ulFoundAt;
}
/* Count blocks of 8 set bits */ /* Count blocks of 8 set bits */
while (*lpOut == 0xff) while (*lpOut == 0xff)
{ {
...@@ -822,6 +828,12 @@ static ULONG NTDLL_FindClearRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSiz ...@@ -822,6 +828,12 @@ static ULONG NTDLL_FindClearRun(PCRTL_BITMAP lpBits, ULONG ulStart, PULONG lpSiz
return ~0U; return ~0U;
} }
/* Check if reached the end of bitmap */
if (ulStart >= lpBits->SizeOfBitMap) {
*lpSize = ulCount - (ulStart - lpBits->SizeOfBitMap);
return ulFoundAt;
}
/* Count blocks of 8 clear bits */ /* Count blocks of 8 clear bits */
while (!*lpOut) while (!*lpOut)
{ {
......
dlls/ntdll/tests/rtlbitmap.c
View file @ 3d5d8903
...@@ -635,7 +635,6 @@ static void test_RtlFindNextForwardRunSet(void) ...@@ -635,7 +635,6 @@ static void test_RtlFindNextForwardRunSet(void)
pRtlInitializeBitMap(&bm, mask, 62); pRtlInitializeBitMap(&bm, mask, 62);
ulCount = pRtlFindNextForwardRunSet(&bm, ulStart, &lpPos); ulCount = pRtlFindNextForwardRunSet(&bm, ulStart, &lpPos);
todo_wine
ok(ulCount == 6, "Invalid length of found set run: %d, expected 6\n", ulCount); ok(ulCount == 6, "Invalid length of found set run: %d, expected 6\n", ulCount);
ok(lpPos == 56, "Invalid position of found set run: %d, expected 56\n", lpPos); ok(lpPos == 56, "Invalid position of found set run: %d, expected 56\n", lpPos);
} }
...@@ -650,7 +649,6 @@ static void test_RtlFindNextForwardRunClear(void) ...@@ -650,7 +649,6 @@ static void test_RtlFindNextForwardRunClear(void)
pRtlInitializeBitMap(&bm, mask, 62); pRtlInitializeBitMap(&bm, mask, 62);
ulCount = pRtlFindNextForwardRunClear(&bm, ulStart, &lpPos); ulCount = pRtlFindNextForwardRunClear(&bm, ulStart, &lpPos);
todo_wine
ok(ulCount == 6, "Invalid length of found clear run: %d, expected 6\n", ulCount); ok(ulCount == 6, "Invalid length of found clear run: %d, expected 6\n", ulCount);
ok(lpPos == 56, "Invalid position of found clear run: %d, expected 56\n", lpPos); ok(lpPos == 56, "Invalid position of found clear run: %d, expected 56\n", lpPos);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment