Wolfram Sang : user32: Apply sanity-check in BITMAP_Load.
Alexandre Julliard
julliard at winehq.org
Mon May 17 09:39:30 CDT 2010
Module: wine
Branch: master
Commit: 636e35d8ada49883fc16de3700a006f7daad6441
URL: http://source.winehq.org/git/wine.git/?a=commit;h=636e35d8ada49883fc16de3700a006f7daad6441
Author: Wolfram Sang <wolfram at the-dreams.de>
Date: Mon May 17 04:57:36 2010 +0200
user32: Apply sanity-check in BITMAP_Load.
---
dlls/user32/cursoricon.c | 9 +++++++--
dlls/user32/tests/cursoricon.c | 21 ++++++++++++++-------
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c
index 8cccbbe..dcd94b1 100644
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -2421,12 +2421,16 @@ static HBITMAP BITMAP_Load( HINSTANCE instance, LPCWSTR name,
if (bmfh->bfType != 0x4d42 /* 'BM' */)
{
WARN("Invalid/unsupported bitmap format!\n");
- UnmapViewOfFile( ptr );
- return 0;
+ goto end_close;
}
offbits = bmfh->bfOffBits - sizeof(BITMAPFILEHEADER);
}
+ if (info->bmiHeader.biHeight > 65535 || info->bmiHeader.biWidth > 65535) {
+ WARN("Broken BitmapInfoHeader!\n");
+ goto end_close;
+ }
+
size = bitmap_info_size(info, DIB_RGB_COLORS);
fix_info = HeapAlloc(GetProcessHeap(), 0, size);
scaled_info = HeapAlloc(GetProcessHeap(), 0, size);
@@ -2490,6 +2494,7 @@ end:
if (screen_mem_dc) DeleteDC(screen_mem_dc);
HeapFree(GetProcessHeap(), 0, scaled_info);
HeapFree(GetProcessHeap(), 0, fix_info);
+end_close:
if (loadflags & LR_LOADFROMFILE) UnmapViewOfFile( ptr );
return hbitmap;
diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c
index a7be34f..8af4126 100644
--- a/dlls/user32/tests/cursoricon.c
+++ b/dlls/user32/tests/cursoricon.c
@@ -667,14 +667,14 @@ static void test_CreateIcon(void)
/* Shamelessly ripped from dlls/oleaut32/tests/olepicture.c */
/* 1x1 pixel gif */
-static const unsigned char gifimage[35] = {
+static unsigned char gifimage[35] = {
0x47,0x49,0x46,0x38,0x37,0x61,0x01,0x00,0x01,0x00,0x80,0x00,0x00,0xff,0xff,0xff,
0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x02,0x02,0x44,
0x01,0x00,0x3b
};
/* 1x1 pixel jpg */
-static const unsigned char jpgimage[285] = {
+static unsigned char jpgimage[285] = {
0xff,0xd8,0xff,0xe0,0x00,0x10,0x4a,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x01,0x2c,
0x01,0x2c,0x00,0x00,0xff,0xdb,0x00,0x43,0x00,0x05,0x03,0x04,0x04,0x04,0x03,0x05,
0x04,0x04,0x04,0x05,0x05,0x05,0x06,0x07,0x0c,0x08,0x07,0x07,0x07,0x07,0x0f,0x0b,
@@ -696,7 +696,7 @@ static const unsigned char jpgimage[285] = {
};
/* 1x1 pixel png */
-static const unsigned char pngimage[285] = {
+static unsigned char pngimage[285] = {
0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a,0x00,0x00,0x00,0x0d,0x49,0x48,0x44,0x52,
0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53,
0xde,0x00,0x00,0x00,0x09,0x70,0x48,0x59,0x73,0x00,0x00,0x0b,0x13,0x00,0x00,0x0b,
@@ -708,7 +708,7 @@ static const unsigned char pngimage[285] = {
/* 1x1 pixel bmp with gap between palette and bitmap. Correct bitmap contains only
zeroes, gap is 0xFF. */
-static const unsigned char bmpimage[70] = {
+static unsigned char bmpimage[70] = {
0x42,0x4d,0x46,0x00,0x00,0x00,0xDE,0xAD,0xBE,0xEF,0x42,0x00,0x00,0x00,0x28,0x00,
0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x04,0x00,0x00,0x00,0x12,0x0b,0x00,0x00,0x12,0x0b,0x00,0x00,0x02,0x00,
@@ -717,7 +717,7 @@ static const unsigned char bmpimage[70] = {
};
/* 2x2 pixel gif */
-static const unsigned char gif4pixel[42] = {
+static unsigned char gif4pixel[42] = {
0x47,0x49,0x46,0x38,0x37,0x61,0x02,0x00,0x02,0x00,0xa1,0x00,0x00,0x00,0x00,0x00,
0x39,0x62,0xfc,0xff,0x1a,0xe5,0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x02,0x00,
0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b
@@ -746,7 +746,7 @@ static void test_LoadImageBitmap(HBITMAP hbm)
ok(color_match(pixel, 0x00ffffff), "Pixel is 0x%08x\n", pixel);
}
-static void test_LoadImageFile(const unsigned char * image_data,
+static void test_LoadImageFile(unsigned char * image_data,
unsigned int image_size, const char * ext, BOOL expect_success)
{
HANDLE handle;
@@ -787,7 +787,7 @@ static void test_LoadImageFile(const unsigned char * image_data,
"Last error: %u\n", error);
if (handle != NULL) DestroyIcon(handle);
- /* Load as bitmap. Should succeed if bmp, fail for everything else */
+ /* Load as bitmap. Should succeed for correct bmp, fail for everything else */
SetLastError(0xdeadbeef);
handle = LoadImageA(NULL, filename, IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE);
error = GetLastError();
@@ -897,6 +897,13 @@ static void test_LoadImage(void)
test_LoadImageFile(gif4pixel, sizeof(gif4pixel), "gif", 0);
test_LoadImageFile(jpgimage, sizeof(jpgimage), "jpg", 0);
test_LoadImageFile(pngimage, sizeof(pngimage), "png", 0);
+ /* Check failure for broken BMP images */
+ bmpimage[0x14]++; /* biHeight > 65535 */
+ test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+ bmpimage[0x14]--;
+ bmpimage[0x18]++; /* biWidth > 65535 */
+ test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+ bmpimage[0x18]--;
}
static void test_CreateIconFromResource(void)
More information about the wine-cvs
mailing list