From caa301a73670d49a4553faab165d65f44c315693 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Fri, 24 Nov 2006 08:45:57 +0100
Subject: [PATCH] oleaut32: Protect against integer overflow in
 SysAllocStringLen.

---
 dlls/oleaut32/oleaut.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dlls/oleaut32/oleaut.c b/dlls/oleaut32/oleaut.c
index 8ffdc72553b..d6a08a92ff9 100644
--- a/dlls/oleaut32/oleaut.c
+++ b/dlls/oleaut32/oleaut.c
@@ -20,6 +20,7 @@
 
 #include <stdarg.h>
 #include <string.h>
+#include <limits.h>
 
 #define COBJMACROS
 
@@ -217,6 +218,9 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
     DWORD* newBuffer;
     WCHAR* stringBuffer;
 
+    /* Detect integer overflow. */
+    if (len >= ((UINT_MAX-sizeof(WCHAR)-sizeof(DWORD))/sizeof(WCHAR)))
+	return NULL;
     /*
      * Find the length of the buffer passed-in, in bytes.
      */
@@ -234,8 +238,8 @@ BSTR WINAPI SysAllocStringLen(const OLECHAR *str, unsigned int len)
     /*
      * If the memory allocation failed, return a null pointer.
      */
-    if (newBuffer==0)
-      return 0;
+    if (!newBuffer)
+      return NULL;
 
     /*
      * Copy the length of the string in the placeholder.
-- 
2.11.4.GIT