oleaut32: Protect against integer overflow in SysAllocStringLen.

caa301a7 · Marcus Meissner · Alexandre Julliard · 1a145bb5 · caa301a7
Commit caa301a7 authored Nov 24, 2006 by Marcus Meissner Committed by Alexandre Julliard Nov 24, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

oleaut.c dlls/oleaut32/oleaut.c +6 -2

No files found.
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@@ -20,6 +20,7 @@

 #include <stdarg.h>
 #include <string.h>
+#include <limits.h>

 #define COBJMACROS

@@ -217,6 +218,9 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
    DWORD* newBuffer;
    WCHAR* stringBuffer;

+    /* Detect integer overflow. */
+    if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+	return NULL;
    /*
     * Find the length of the buffer passed-in, in bytes.
     */
@@ -234,8 +238,8 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
    /*
     * If the memory allocation failed, return a null pointer.
     */
-    if (newBuffer==0)
-      return 0;
+    if (!newBuffer)
+      return NULL;

    /*
     * Copy the length of the string in the placeholder.