ENUMLOGFONTEXA EnumLogFontExA;
NEWTEXTMETRICEXA NewTextMetricExA;
LOGFONTW lfW;
- LONG DataSize, InfoCount;
+ LONG InfoCount;
+ ULONG DataSize;
+ NTSTATUS Status;
DataSize = INITIAL_FAMILY_COUNT * sizeof(FONTFAMILYINFO);
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
if (INITIAL_FAMILY_COUNT < InfoCount)
{
RtlFreeHeap(GetProcessHeap(), 0, Info);
- DataSize = InfoCount * sizeof(FONTFAMILYINFO);
+
+ Status = RtlULongMult(InfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
+ {
+ DPRINT1("Overflowed.\n");
+ return 1;
+ }
Info = RtlAllocateHeap(GetProcessHeap(), 0, DataSize);
if (Info == NULL)
{
NTSTATUS Status;
LOGFONTW LogFont;
PFONTFAMILYINFO Info;
- LONG GotCount, AvailCount, DataSize, SafeInfoCount;
+ LONG GotCount, AvailCount, SafeInfoCount;
+ ULONG DataSize;
if (UnsafeLogFont == NULL || UnsafeInfo == NULL || UnsafeInfoCount == NULL)
{
}
/* Allocate space for a safe copy */
- DataSize = SafeInfoCount * sizeof(FONTFAMILYINFO);
- if (DataSize <= 0)
+ Status = RtlULongMult(SafeInfoCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || (ULONG)DataSize > LONG_MAX)
{
+ DPRINT1("Overflowed.\n");
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;
}
/* Return data to caller */
if (GotCount > 0)
{
- DataSize = GotCount * sizeof(FONTFAMILYINFO);
- if (DataSize <= 0)
+ Status = RtlULongMult(GotCount, sizeof(FONTFAMILYINFO), &DataSize);
+ if (!NT_SUCCESS(Status) || DataSize > LONG_MAX)
{
+ DPRINT1("Overflowed.\n");
ExFreePoolWithTag(Info, GDITAG_TEXT);
EngSetLastError(ERROR_INVALID_PARAMETER);
return -1;