Skip to content

W
wine-cw
Commit 4312be16 authored by Mark Jansen's avatar Mark Jansen Committed by Alexandre Julliard
Browse files
Options

gdi32: Fix possible overflow.

According to the documentation of ScriptShape function, the psva argument should have the number of elements indicated by cMaxGlyphs.
parent 46f30707
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 2 deletions
dlls/gdi32/text.c
View file @ 4312be16
......@@ -471,7 +471,7 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */
WARN("Out of memory\n");
goto cleanup;
}
psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * uCount);
psva = HeapAlloc(GetProcessHeap(),0,sizeof(SCRIPT_VISATTR) * cMaxGlyphs);
if (!psva)
{
WARN("Out of memory\n");
......@@ -604,16 +604,22 @@ static BOOL BIDI_Reorder( HDC hDC, /* [in] Display DC */
while (res == E_OUTOFMEMORY)
{
WORD *new_run_glyphs = HeapReAlloc(GetProcessHeap(), 0, run_glyphs, sizeof(*run_glyphs) * cMaxGlyphs * 2);
if (!new_run_glyphs)
SCRIPT_VISATTR *new_psva = HeapReAlloc(GetProcessHeap(), 0, psva, sizeof(*psva) * cMaxGlyphs * 2);
if (!new_run_glyphs || !new_psva)
{
WARN("Out of memory\n");
HeapFree(GetProcessHeap(), 0, runOrder);
HeapFree(GetProcessHeap(), 0, visOrder);
HeapFree(GetProcessHeap(), 0, *lpGlyphs);
*lpGlyphs = NULL;
if (new_run_glyphs)
run_glyphs = new_run_glyphs;
if (new_psva)
psva = new_psva;
goto cleanup;
}
run_glyphs = new_run_glyphs;
psva = new_psva;
cMaxGlyphs *= 2;
res = ScriptShape(hDC, &psc, lpString + done + curItem->iCharPos, cChars, cMaxGlyphs, &curItem->a, run_glyphs, pwLogClust, psva, &cOutGlyphs);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment