wined3d: Validate parameter lengths in shader_sm4_read_param() (AFL).

Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

wined3d: Validate parameter lengths in shader_sm4_read_param() (AFL).
a61cfe0f · Henri Verbeet · Alexandre Julliard · 986adeef · a61cfe0f
Commit a61cfe0f authored May 31, 2017 by Henri Verbeet Committed by Alexandre Julliard May 31, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 3 deletions

shader_sm4.c dlls/wined3d/shader_sm4.c +26 -3

No files found.
--- a/dlls/wined3d/shader_sm4.c
+++ b/dlls/wined3d/shader_sm4.c
@@ -1370,8 +1370,14 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p
        enum wined3d_shader_src_modifier *modifier)
 {
    enum wined3d_sm4_register_type register_type;
-    DWORD token = *(*ptr)++;
-    DWORD order;
+    DWORD token, order;
+
+    if (*ptr >= end)
+    {
+        WARN("Invalid ptr %p >= end %p.\n", *ptr, end);
+        return FALSE;
+    }
+    token = *(*ptr)++;

    register_type = (token & WINED3D_SM4_REGISTER_TYPE_MASK) >> WINED3D_SM4_REGISTER_TYPE_SHIFT;
    if (register_type >= sizeof(register_type_table) / sizeof(*register_type_table)
@@ -1388,7 +1394,14 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p

    if (token & WINED3D_SM4_REGISTER_MODIFIER)
    {
-        DWORD m = *(*ptr)++;
+        DWORD m;
+
+        if (*ptr >= end)
+        {
+            WARN("Invalid ptr %p >= end %p.\n", *ptr, end);
+            return FALSE;
+        }
+        m = *(*ptr)++;

        switch (m)
        {
@@ -1453,12 +1466,22 @@ static BOOL shader_sm4_read_param(struct wined3d_sm4_data *priv, const DWORD **p
        {
            case WINED3D_SM4_IMMCONST_SCALAR:
                param->immconst_type = WINED3D_IMMCONST_SCALAR;
+                if (end - *ptr < 1)
+                {
+                    WARN("Invalid ptr %p, end %p.\n", *ptr, end);
+                    return FALSE;
+                }
                memcpy(param->u.immconst_data, *ptr, 1 * sizeof(DWORD));
                *ptr += 1;
                break;

            case WINED3D_SM4_IMMCONST_VEC4:
                param->immconst_type = WINED3D_IMMCONST_VEC4;
+                if (end - *ptr < 4)
+                {
+                    WARN("Invalid ptr %p, end %p.\n", *ptr, end);
+                    return FALSE;
+                }
                memcpy(param->u.immconst_data, *ptr, 4 * sizeof(DWORD));
                *ptr += 4;
                break;