Stefan Dösinger : ddraw: Validate the input data in TransformVertices. - wine-commits

1 Sep 2016

Module: wine
Branch: master
Commit: 3cd0d92c8c48b1507c9cb8c9b449a597ef368a3a
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=3cd0d92c8c48b1507c9cb8c9b4...
Author: Stefan Dösinger stefandoesinger@gmx.at
Date:   Wed Aug 31 22:01:26 2016 +0100
ddraw: Validate the input data in TransformVertices.
Signed-off-by: Stefan Dösinger stefandoesinger@gmx.at
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/ddraw/viewport.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/dlls/ddraw/viewport.c b/dlls/ddraw/viewport.c
index d857dc3..393113e 100644
--- a/dlls/ddraw/viewport.c
+++ b/dlls/ddraw/viewport.c
@@ -370,7 +370,7 @@ static HRESULT WINAPI d3d_viewport_SetViewport(IDirect3DViewport3 *iface, D3DVIE
  *
  * Params:
  *  dwVertexCount: The number of vertices to be transformed
- *  lpData: Pointer to the vertex data
+ *  data: Pointer to the vertex input / output data.
  *  dwFlags: D3DTRANSFORM_CLIPPED or D3DTRANSFORM_UNCLIPPED
  *  offscreen: Logical AND of the planes that clipped the vertices if clipping
  *          is on. 0 if clipping is off.
@@ -391,7 +391,7 @@ struct transform_vertices_vertex
 };
static HRESULT WINAPI d3d_viewport_TransformVertices(IDirect3DViewport3 *iface,
-        DWORD dwVertexCount, D3DTRANSFORMDATA *lpData, DWORD dwFlags, DWORD *offscreen)
+        DWORD dwVertexCount, D3DTRANSFORMDATA *data, DWORD dwFlags, DWORD *offscreen)
 {
     struct d3d_viewport *viewport = impl_from_IDirect3DViewport3(iface);
     D3DVIEWPORT vp = viewport->viewports.vp1;
@@ -401,8 +401,8 @@ static HRESULT WINAPI d3d_viewport_TransformVertices(IDirect3DViewport3 *iface,
     unsigned int i;
     D3DHVERTEX *outH;
-    TRACE("iface %p, vertex_count %u, vertex_data %p, flags %#x, offscreen %p.\n",
-            iface, dwVertexCount, lpData, dwFlags, offscreen);
+    TRACE("iface %p, vertex_count %u, data %p, flags %#x, offscreen %p.\n",
+            iface, dwVertexCount, data, dwFlags, offscreen);
/* Tests on windows show that Windows crashes when this occurs,
      * so don't return the (intuitive) return value
@@ -413,7 +413,12 @@ static HRESULT WINAPI d3d_viewport_TransformVertices(IDirect3DViewport3 *iface,
     }
      */
-    if(!(dwFlags & (D3DTRANSFORM_UNCLIPPED | D3DTRANSFORM_CLIPPED)))
+    if (!data || data->dwSize != sizeof(*data))
+    {
+        WARN("Transform data is NULL or size is incorrect, returning DDERR_INVALIDPARAMS\n");
+        return DDERR_INVALIDPARAMS;
+    }
+    if (!(dwFlags & (D3DTRANSFORM_UNCLIPPED | D3DTRANSFORM_CLIPPED)))
     {
         WARN("No clipping flag passed, returning DDERR_INVALIDPARAMS\n");
         return DDERR_INVALIDPARAMS;
@@ -434,11 +439,11 @@ static HRESULT WINAPI d3d_viewport_TransformVertices(IDirect3DViewport3 *iface,
     else
         *offscreen = 0;
-    outH = lpData->lpHOut;
+    outH = data->lpHOut;
     for(i = 0; i < dwVertexCount; i++)
     {
-        in = (struct transform_vertices_vertex *)((char *)lpData->lpIn + lpData->dwInSize * i);
-        out = (struct transform_vertices_vertex *)((char *)lpData->lpOut + lpData->dwOutSize * i);
+        in = (struct transform_vertices_vertex *)((char *)data->lpIn + data->dwInSize * i);
+        out = (struct transform_vertices_vertex *)((char *)data->lpOut + data->dwOutSize * i);
x = (in->x * mat._11) + (in->y * mat._21) + (in->z * mat._31) + mat._41;
         y = (in->x * mat._12) + (in->y * mat._22) + (in->z * mat._32) + mat._42;

    