d3d10: Validate offsets and sizes in parse_dxbc() (AFL).

Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

d3d10: Validate offsets and sizes in parse_dxbc() (AFL).
994c5618 · Henri Verbeet · Alexandre Julliard · e5a4da38 · 994c5618 · 994c5618
Commit 994c5618 authored May 24, 2016 by Henri Verbeet Committed by Alexandre Julliard May 25, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

d3d10_private.h dlls/d3d10/d3d10_private.h +5 -0

utils.c dlls/d3d10/utils.c +12 -0

No files found.
--- a/dlls/d3d10/d3d10_private.h
+++ b/dlls/d3d10/d3d10_private.h
@@ -294,6 +294,11 @@ static inline void write_dword(char **ptr, DWORD d)
    *ptr += sizeof(d);
 }
+static inline BOOL require_space(size_t offset, size_t size, size_t data_size)
+{
+    return data_size - offset >= size;
+}
 void skip_dword_unknown(const char *location, const char **ptr, unsigned int count) DECLSPEC_HIDDEN;
 void write_dword_unknown(char **ptr, DWORD d) DECLSPEC_HIDDEN;

--- a/dlls/d3d10/utils.c
+++ b/dlls/d3d10/utils.c
@@ -217,11 +217,23 @@ HRESULT parse_dxbc(const char *data, SIZE_T data_size,
        read_dword(&ptr, &chunk_offset);
        TRACE("chunk %u at offset %#x\n", i, chunk_offset);
+        if (chunk_offset >= data_size || !require_space(chunk_offset, 2 * sizeof(DWORD), data_size))
+        {
+            WARN("Invalid chunk offset %#x (data size %#lx).\n", chunk_offset, data_size);
+            return E_FAIL;
+        }
        chunk_ptr = data + chunk_offset;
        read_dword(&chunk_ptr, &chunk_tag);
        read_dword(&chunk_ptr, &chunk_size);
+        if (!require_space(chunk_ptr - data, chunk_size, data_size))
+        {
+            WARN("Invalid chunk size %#x (data size %#lx, chunk offset %#x).\n", chunk_size, data_size, chunk_offset);
+            return E_FAIL;
+        }
        hr = chunk_handler(chunk_ptr, chunk_size, chunk_tag, ctx);
        if (FAILED(hr)) break;
    }