From 1bcc7ce75f64f2894de43379674bc5c53c52bb3a Mon Sep 17 00:00:00 2001 From: Henri Verbeet Date: Sun, 10 Jul 2016 15:09:20 +0200 Subject: [PATCH] d3d10: Validate offsets and size in parse_fx10_type() (AFL). Signed-off-by: Henri Verbeet Signed-off-by: Alexandre Julliard --- dlls/d3d10/effect.c | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/dlls/d3d10/effect.c b/dlls/d3d10/effect.c index 4736fa93e0e..4760489d085 100644 --- a/dlls/d3d10/effect.c +++ b/dlls/d3d10/effect.c @@ -598,11 +598,18 @@ static D3D10_SHADER_VARIABLE_TYPE d3d10_variable_type(DWORD t, BOOL is_object) static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, struct d3d10_effect_type *t) { - const char *ptr = data + offset; + const char *ptr; DWORD unknown0; DWORD typeinfo; unsigned int i; + if (offset >= data_size || !require_space(offset, 6, sizeof(DWORD), data_size)) + { + WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size); + return E_FAIL; + } + + ptr = data + offset; read_dword(&ptr, &offset); TRACE("Type name at offset %#x.\n", offset); @@ -631,9 +638,14 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, switch (unknown0) { case 1: - t->member_count = 0; + if (!require_space(ptr - data, 1, sizeof(typeinfo), data_size)) + { + WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size); + return E_FAIL; + } read_dword(&ptr, &typeinfo); + t->member_count = 0; t->column_count = (typeinfo & D3D10_FX10_TYPE_COLUMN_MASK) >> D3D10_FX10_TYPE_COLUMN_SHIFT; t->row_count = (typeinfo & D3D10_FX10_TYPE_ROW_MASK) >> D3D10_FX10_TYPE_ROW_SHIFT; t->basetype = d3d10_variable_type((typeinfo & D3D10_FX10_TYPE_BASETYPE_MASK) >> D3D10_FX10_TYPE_BASETYPE_SHIFT, FALSE); @@ -651,13 +663,18 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, case 2: TRACE("Type is an object.\n"); + if (!require_space(ptr - data, 1, sizeof(typeinfo), data_size)) + { + WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size); + return E_FAIL; + } + + read_dword(&ptr, &typeinfo); t->member_count = 0; t->column_count = 0; t->row_count = 0; - t->type_class = D3D10_SVC_OBJECT; - - read_dword(&ptr, &typeinfo); t->basetype = d3d10_variable_type(typeinfo, TRUE); + t->type_class = D3D10_SVC_OBJECT; TRACE("Type description: %#x.\n", typeinfo); TRACE("\tbasetype: %s.\n", debug_d3d10_shader_variable_type(t->basetype)); @@ -667,6 +684,12 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, case 3: TRACE("Type is a structure.\n"); + if (!require_space(ptr - data, 1, sizeof(t->member_count), data_size)) + { + WARN("Invalid offset %#x (data size %#lx).\n", offset, (long)data_size); + return E_FAIL; + } + read_dword(&ptr, &t->member_count); TRACE("Member count: %u.\n", t->member_count); @@ -681,6 +704,13 @@ static HRESULT parse_fx10_type(const char *data, size_t data_size, DWORD offset, return E_OUTOFMEMORY; } + if (!require_space(ptr - data, t->member_count, 4 * sizeof(DWORD), data_size)) + { + WARN("Invalid member count %#x (data size %#lx, offset %#x).\n", + t->member_count, (long)data_size, offset); + return E_FAIL; + } + for (i = 0; i < t->member_count; ++i) { struct d3d10_effect_type_member *typem = &t->members[i]; -- 2.11.4.GIT