[GDI32][NTGDI] Avoid integer overflow (follow-up of #1492) (#1495)

Follow up of #1492. CORE-15755 - Use RtlULongMult function to check integer overflows.
2026-06-03 09:51:03 +08:00 · 2019-04-11 17:57:57 +09:00
parent 811faed421
commit bc9f3ed887
3 changed files with 19 additions and 7 deletions
--- a/win32ss/gdi/gdi32/include/precomp.h
+++ b/win32ss/gdi/gdi32/include/precomp.h
@@ -58,5 +58,6 @@
 #include <ntgdibad.h>

 #include <undocgdi.h>
+#include <ntintsafe.h>

 #endif /* _GDI32_PCH_ */
--- a/win32ss/gdi/gdi32/objects/font.c
+++ b/win32ss/gdi/gdi32/objects/font.c
@@ -295,7 +295,9 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
    ENUMLOGFONTEXA EnumLogFontExA;
    NEWTEXTMETRICEXA NewTextMetricExA;
    LOGFONTW lfW;
-    LONG DataSize, InfoCount;
+    LONG InfoCount;
+    ULONG DataSize;
+    NTSTATUS Status;

    DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
    Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
@@ -330,7 +332,13 @@ IntEnumFontFamilies(HDC Dc, const LOGFONTW *LogFont, PVOID EnumProc, LPARAM lPar
    if (INITIAL_FAMILY_COUNT < InfoCount)
    {
        RtlFreeHeap(GetProcessHeap(), 0, Info);
-        DataSize = InfoCount * sizeof(FONTFAMILYINFO);
+
+        Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+        if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
+        {
+            DPRINT1("Overflowed.\n");
+            return 1;
+        }
        Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
        if (Info == NULL)
        {
--- a/win32ss/gdi/ntgdi/freetype.c
+++ b/win32ss/gdi/ntgdi/freetype.c
@@ -5456,7 +5456,8 @@ NtGdiGetFontFamilyInfo(HDC Dc,
    NTSTATUS Status;
    LOGFONTW LogFont;
    PFONTFAMILYINFO Info;
-    LONG GotCount, AvailCount, DataSize, SafeInfoCount;
+    LONG GotCount, AvailCount, SafeInfoCount;
+    ULONG DataSize;

    if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
    {
@@ -5490,9 +5491,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
    }

    /* Allocate space for a safe copy */
-    DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO);
-    if (DataSize <= 0)
+    Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+    if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX)
    {
+        DPRINT1("Overflowed.\n");
        EngSetLastError(ERROR_INVALID_PARAMETER);
        return -1;
    }
@@ -5511,9 +5513,10 @@ NtGdiGetFontFamilyInfo(HDC Dc,
    /* Return data to caller */
    if (GotCount > 0)
    {
-        DataSize = GotCount * sizeof(FONTFAMILYINFO);
-        if (DataSize <= 0)
+        Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize);
+        if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
        {
+            DPRINT1("Overflowed.\n");
            ExFreePoolWithTag(Info, GDITAG_TEXT);
            EngSetLastError(ERROR_INVALID_PARAMETER);
            return -1;