1 files changed, 21 insertions, 3 deletions
diff --git a/src/engine/condition.cpp b/src/engine/condition.cpp
index 56fe76c2..b7cd7413 100644
--- a/src/engine/condition.cpp
+++ b/src/engine/condition.cpp
@@ -513,6 +513,7 @@ static HRESULT NextSymbol(
 {
    HRESULT hr = S_OK;
    WORD charType = 0;
+    ptrdiff_t cchPosition = 0;
    DWORD iPosition = 0;
    DWORD n = 0;
@@ -530,7 +531,13 @@ static HRESULT NextSymbol(
        }
        ++pContext->wzRead;
    }
-    iPosition = (DWORD)(pContext->wzRead - pContext->wzCondition);
+    cchPosition = pContext->wzRead - pContext->wzCondition;
+    if (DWORD_MAX < cchPosition || 0 > cchPosition)
+    {
+        ExitOnFailure(hr = E_INVALIDARG, "Symbol was too long: %ls", pContext->wzCondition);
+    }
+    iPosition = (DWORD)cchPosition;
    // read depending on first character type
    switch (pContext->wzRead[0])
@@ -922,8 +929,19 @@ static HRESULT CompareStringValues(
 {
    HRESULT hr = S_OK;
    DWORD dwCompareString = (comparison & INSENSITIVE) ? NORM_IGNORECASE : 0;
-    int cchLeft = lstrlenW(wzLeftOperand);
+    size_t cchLeftSize = 0;
-    int cchRight = lstrlenW(wzRightOperand);
+    size_t cchRightSize = 0;
+    int cchLeft = 0;
+    int cchRight = 0;
+    hr = ::StringCchLengthW(wzLeftOperand, STRSAFE_MAX_CCH, &cchLeftSize);
+    ExitOnRootFailure(hr, "Failed to get length of left string: %ls", wzLeftOperand);
+    hr = ::StringCchLengthW(wzRightOperand, STRSAFE_MAX_CCH, &cchRightSize);
+    ExitOnRootFailure(hr, "Failed to get length of right string: %ls", wzRightOperand);
+    cchLeft = static_cast<int>(cchLeftSize);
+    cchRight = static_cast<int>(cchRightSize);
    switch (comparison)
    {

diff --git a/src/engine/condition.cpp b/src/engine/condition.cpp index 56fe76c2..b7cd7413 100644 --- a/src/engine/condition.cpp +++ b/src/engine/condition.cpp
@@ -513,6 +513,7 @@ static HRESULT NextSymbol(
513	{	513	{
514	HRESULT hr = S_OK;	514	HRESULT hr = S_OK;
515	WORD charType = 0;	515	WORD charType = 0;
		516	ptrdiff_t cchPosition = 0;
516	DWORD iPosition = 0;	517	DWORD iPosition = 0;
517	DWORD n = 0;	518	DWORD n = 0;
518		519
@@ -530,7 +531,13 @@ static HRESULT NextSymbol(
530	}	531	}
531	++pContext->wzRead;	532	++pContext->wzRead;
532	}	533	}
533	iPosition = (DWORD)(pContext->wzRead - pContext->wzCondition);	534
		535	cchPosition = pContext->wzRead - pContext->wzCondition;
		536	if (DWORD_MAX < cchPosition \|\| 0 > cchPosition)
		537	{
		538	ExitOnFailure(hr = E_INVALIDARG, "Symbol was too long: %ls", pContext->wzCondition);
		539	}
		540	iPosition = (DWORD)cchPosition;
534		541
535	// read depending on first character type	542	// read depending on first character type
536	switch (pContext->wzRead[0])	543	switch (pContext->wzRead[0])
@@ -922,8 +929,19 @@ static HRESULT CompareStringValues(
922	{	929	{
923	HRESULT hr = S_OK;	930	HRESULT hr = S_OK;
924	DWORD dwCompareString = (comparison & INSENSITIVE) ? NORM_IGNORECASE : 0;	931	DWORD dwCompareString = (comparison & INSENSITIVE) ? NORM_IGNORECASE : 0;
925	int cchLeft = lstrlenW(wzLeftOperand);	932	size_t cchLeftSize = 0;
926	int cchRight = lstrlenW(wzRightOperand);	933	size_t cchRightSize = 0;
		934	int cchLeft = 0;
		935	int cchRight = 0;
		936
		937	hr = ::StringCchLengthW(wzLeftOperand, STRSAFE_MAX_CCH, &cchLeftSize);
		938	ExitOnRootFailure(hr, "Failed to get length of left string: %ls", wzLeftOperand);
		939
		940	hr = ::StringCchLengthW(wzRightOperand, STRSAFE_MAX_CCH, &cchRightSize);
		941	ExitOnRootFailure(hr, "Failed to get length of right string: %ls", wzRightOperand);
		942
		943	cchLeft = static_cast<int>(cchLeftSize);
		944	cchRight = static_cast<int>(cchRightSize);
927		945
928	switch (comparison)	946	switch (comparison)
929	{	947	{