wined3d: Validate instruction lengths in shader_sm4_read_instruction() (AFL).

Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

wined3d: Validate instruction lengths in shader_sm4_read_instruction() (AFL).
a9e5a02a · Henri Verbeet · Alexandre Julliard · fd05297f · a9e5a02a
Commit a9e5a02a authored Mar 09, 2017 by Henri Verbeet Committed by Alexandre Julliard Mar 09, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 0 deletions

shader_sm4.c dlls/wined3d/shader_sm4.c +27 -0

No files found.
--- a/dlls/wined3d/shader_sm4.c
+++ b/dlls/wined3d/shader_sm4.c
@@ -1507,16 +1507,36 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi
    DWORD opcode_token, opcode, previous_token;
    struct wined3d_sm4_data *priv = data;
    unsigned int i, len;
+    SIZE_T remaining;
    const DWORD *p;

    list_move_head(&priv->src_free, &priv->src);

+    if (*ptr >= priv->end)
+    {
+        WARN("End of byte-code, failed to read opcode.\n");
+        goto fail;
+    }
+    remaining = priv->end - *ptr;
+
    opcode_token = *(*ptr)++;
    opcode = opcode_token & WINED3D_SM4_OPCODE_MASK;

    len = ((opcode_token & WINED3D_SM4_INSTRUCTION_LENGTH_MASK) >> WINED3D_SM4_INSTRUCTION_LENGTH_SHIFT);
    if (!len)
+    {
+        if (remaining < 2)
+        {
+            WARN("End of byte-code, failed to read length token.\n");
+            goto fail;
+        }
        len = **ptr;
+    }
+    if (!len || remaining < len)
+    {
+        WARN("Read invalid length %u (remaining %lu).\n", len, remaining);
+        goto fail;
+    }
    --len;

    if (TRACE_ON(d3d_bytecode))
@@ -1589,6 +1609,13 @@ static void shader_sm4_read_instruction(void *data, const DWORD **ptr, struct wi
            }
        }
    }
+
+    return;
+
+fail:
+    *ptr = priv->end;
+    ins->handler_idx = WINED3DSIH_TABLE_SIZE;
+    return;
 }

 static BOOL shader_sm4_is_end(void *data, const DWORD **ptr)