reactos/wine
1
0
Fork 0
mirror of https://github.com/reactos/wine.git synced 2024-11-25 20:59:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

- CopyAcceleratorTable can cause a buffer overflow because it uses an

Browse Source 
incorrect comparison between the number of accelerator entries
  available and the number of accelerator entries in the output buffer.
- My tests show that CopyAcceleratorTable always strips the high bit
  of the fVirt member of the accel struct.
- Calling DestroyAcceleratorTable with a NULL accelerator should
  return FALSE.
This commit is contained in:
Mike McCormack 2004-07-12 20:42:30 +00:00 committed by Alexandre Julliard
parent 74cebde291
commit 9243c96e01
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
dlls/user/resource.c
View File

@ -160,7 +160,7 @@ INT WINAPI CopyAcceleratorTableW(HACCEL src, LPACCEL dst,
return 0;
}
xsize = GlobalSize16(HACCEL_16(src))/sizeof(ACCEL16);
if (xsize>entries) entries=xsize;
if (xsize<entries) entries=xsize;
i=0;
while(!done) {
@ -171,15 +171,13 @@ INT WINAPI CopyAcceleratorTableW(HACCEL src, LPACCEL dst,
/* Copy data to the destination structure array (if dst == NULL,
we're just supposed to count the number of entries). */
if(dst) {
dst[i].fVirt = accel[i].fVirt;
dst[i].fVirt = accel[i].fVirt&0x7f;
dst[i].key = accel[i].key;
dst[i].cmd = accel[i].cmd;
/* Check if we've reached the end of the application supplied
accelerator table. */
if(i+1 == entries) {
/* Turn off the high order bit, just in case. */
dst[i].fVirt &= 0x7f;
done = TRUE;
}
}
@ -308,6 +306,8 @@ HACCEL WINAPI CreateAcceleratorTableW(LPACCEL lpaccel, INT cEntries)
*/
BOOL WINAPI DestroyAcceleratorTable( HACCEL handle )
{
if( !handle )
return FALSE;
return !GlobalFree16(HACCEL_16(handle));
}