kernel32: Protect global alloc functions against integer overflows on the size parameter.

c3b4fe39 · Rob Shearman · Alexandre Julliard · fb883d86 · c3b4fe39
Commit c3b4fe39 authored Dec 17, 2006 by Rob Shearman Committed by Alexandre Julliard Dec 18, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

heap.c dlls/kernel32/heap.c +18 -2

No files found.
--- a/dlls/kernel32/heap.c
+++ b/dlls/kernel32/heap.c
@@ -365,6 +365,12 @@ HGLOBAL WINAPI GlobalAlloc(
   }
   else  /* HANDLE */
   {
+      if (size > INT_MAX-HGLOBAL_STORAGE)
+      {
+          SetLastError(ERROR_OUTOFMEMORY);
+          return 0;
+      }
+
      RtlLockHeap(GetProcessHeap());

      pintern = HeapAlloc(GetProcessHeap(), 0, sizeof(GLOBAL32_INTERN));
@@ -658,7 +664,12 @@ HGLOBAL WINAPI GlobalReAlloc(
            hnew=hmem;
            if(pintern->Pointer)
            {
-               if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
+               if(size > INT_MAX-HGLOBAL_STORAGE)
+               {
+                   SetLastError(ERROR_OUTOFMEMORY);
+                   hnew = 0;
+               }
+               else if((palloc = HeapReAlloc(GetProcessHeap(), heap_flags,
                                   (char *) pintern->Pointer-HGLOBAL_STORAGE,
                                   size+HGLOBAL_STORAGE)) == NULL)
                   hnew = 0; /* Block still valid */
@@ -667,7 +678,12 @@ HGLOBAL WINAPI GlobalReAlloc(
            }
            else
            {
-                if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
+                if(size > INT_MAX-HGLOBAL_STORAGE)
+                {
+                    SetLastError(ERROR_OUTOFMEMORY);
+                    hnew = 0;
+                }
+                else if((palloc=HeapAlloc(GetProcessHeap(), heap_flags, size+HGLOBAL_STORAGE))
                   == NULL)
                    hnew = 0;
                else