Fix potential overflow issues in WPF native code#11642
Open
himgoyalmicro wants to merge 2 commits into
Open
Conversation
dotnet-policy-service
Bot
added
the
PR
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple potential integer-overflow and out-of-bounds scenarios across WPF native components (WpfGfx, PenImc, DirectWriteForwarder/TtfDelta), and introduces AppContext-controlled “opt-out” switches to preserve backward behavior when required.
Changes:
- Adds overflow-safe arithmetic and additional bounds validations around texture sizing, buffer offsets, and palette indexing in native code paths.
- Introduces new native/managed switches (WpfGfx, PenImc, TtfDelta) to disable the added bounds-check protections if necessary.
- Hardens the DirectWriteForwarder TrueType subsetter (TtfDelta) with widespread allocation/offset overflow checks guarded by the new switch.
Reviewed changes
Copilot reviewed 35 out of 36 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/resources/glyphrunslave.cpp | Adds overflow-checked texture size computations for glyph alpha map realization. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/hw/hwbitmapcolorsource.cpp | Uses overflow-safe offset math and buffer-size validation before CopyPixels/self-copy operations. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/hw/d3dglyphbank.cpp | Uses 64-bit arithmetic for src pointer/row calculations to avoid overflow. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/dll/wpfgfx.def | Exports a new native entry point to control bounds-check protection. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/common/gradienttexture.cpp | Whitespace-only change. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/core/common/engine.cpp | Removes trailing blank lines. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/shared/WpfGfxSwitches.h | Adds a native switch holder for WpfGfx bounds-check mitigation (missing standard license header). |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/shared/WpfGfxSwitches.cpp | Implements WpfGfx switch storage and exported setter. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/shared/shared.vcxproj | Includes WpfGfxSwitches.cpp in the shared project build. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/shared/shared.h | Ensures WpfGfxSwitches.h is included for consumers. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/shared/dynarray.h | Uses FreAssert vs Assert in First/Last based on the WpfGfx mitigation switch. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/scanop/soconvert.cpp | Adds palette bounds protections gated by the WpfGfx mitigation switch. |
| src/Microsoft.DotNet.Wpf/src/WpfGfx/common/effects/effectlist.cpp | Adds offset+size bounds validation when returning effect parameter blocks. |
| src/Microsoft.DotNet.Wpf/src/PresentationCore/System/Windows/Media/UnsafeNativeMethodsMilCoreApi.cs | Adds P/Invoke for WpfGfx bounds-check switch setter. |
| src/Microsoft.DotNet.Wpf/src/PresentationCore/System/Windows/Media/MediaSystem.cs | Passes the WpfGfx bounds-check mitigation switch to native at startup. |
| src/Microsoft.DotNet.Wpf/src/PresentationCore/MS/Win32/UnsafeNativeMethodsPenimc.cs | Adds PenImc P/Invoke and forwards AppContext mitigation switch during activation. |
| src/Microsoft.DotNet.Wpf/src/PresentationCore/MS/internal/CoreAppContextSwitches.cs | Adds AppContext switch definitions for DWF, PenImc, and WpfGfx mitigations. |
| src/Microsoft.DotNet.Wpf/src/PenImc/dll/PimcTablet.cpp | Adds upper bounds on COM-reported counts; adds null-guard in IsPropertySupported when mitigation enabled. |
| src/Microsoft.DotNet.Wpf/src/PenImc/dll/PimcContext.cpp | Uses overflow-safe doubling for packet buffer sizing when mitigation enabled. |
| src/Microsoft.DotNet.Wpf/src/PenImc/dll/PenImcSwitches.h | Adds a native switch holder for PenImc bounds-check mitigation (missing standard license header). |
| src/Microsoft.DotNet.Wpf/src/PenImc/dll/PenImc.def | Exports PenImc switch setter (PRIVATE). |
| src/Microsoft.DotNet.Wpf/src/PenImc/dll/PenImc.cpp | Implements PenImc switch storage and exported setter. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/main.cpp | Defines the DWF/TtfDelta global “safe checks enabled” flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/ttftable.cpp | Adds allocation overflow checks and additional bounds checks (incl. negative index check) behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/ttftabl1.cpp | Adds overflow checks for read offsets behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/ttfdelta.cpp | Adds overflow-safe size calculations; changes CalcOutputBufferSize to return error code when safety enabled. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/ttfacc.cpp | Adds parameter validation and overflow-safe offset/size computations behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/ttf_safe_checks.h | Introduces the DWF/TtfDelta safety flag helper macro and extern. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modtable.cpp | Adds overflow-safe allocations and offset checks behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modsbit.cpp | Adds extensive EBDT bounds checking and safer realloc/offset math behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modglyf.cpp | Adds overflow-safe allocation and offset computations for glyf/loca operations behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/modcmap.cpp | Adds overflow-safe allocations and guards against empty glyph-map access when safety enabled. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/makeglst.cpp | Adds overflow-safe allocations for symbol list/loca/components behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/intsafe_private_copy.h | Adds uint32 convenience wrappers for overflow-safe helpers. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/TtfDelta/automap.cpp | Adds overflow checks and bounds validation for GSUB/JSTF parsing behind the safety flag. |
| src/Microsoft.DotNet.Wpf/src/DirectWriteForwarder/CPP/TrueTypeSubsetter/truetype.cpp | Initializes the safety flag from AppContext and adds size validations before allocating managed arrays. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1
to
+7
| #pragma once | ||
|
|
||
| /// <summary> | ||
| /// Switch for WpfGfx security fixes, set from managed CoreAppContextSwitches | ||
| /// via P/Invoke at startup. | ||
| /// </summary> | ||
| class WpfGfxSwitches |
Comment on lines
+1
to
+7
| #pragma once | ||
|
|
||
| /// <summary> | ||
| /// Switch for PenImc security fixes, set from managed CoreAppContextSwitches | ||
| /// via P/Invoke at startup. | ||
| /// </summary> | ||
| class PenImcSwitches |
Comment on lines
+67
to
+76
| static bool s_switchInitialized = false; | ||
| if (!s_switchInitialized) | ||
| { | ||
| s_switchInitialized = true; | ||
| bool switchValue = false; | ||
| System::AppContext::TryGetSwitch( | ||
| "Switch.MS.Internal.TtfDelta.DisableDirectWriteForwarderBoundsCheckProtection", | ||
| switchValue); | ||
| MS::Internal::TtfDelta::g_fDWFBoundsCheckEnabled = switchValue ? 0 : 1; | ||
| } |
dipeshmsft
previously approved these changes
May 14, 2026
Member
dipeshmsft
left a comment
dipeshmsft
left a comment
There was a problem hiding this comment.
Ran the script to verify the changes with fixes in 8.0 and 9.0. There are no extra changes. LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #11632 #11631
Description
Fixes the potential Overflow issues in WPF native code
Microsoft Reviewers: Open in CodeFlow