Wolfram Sang : user32: Apply sanity-check in BITMAP_Load.

Alexandre Julliard julliard at winehq.org
Mon May 17 09:39:30 CDT 2010 

Module: wine
Branch: master
Commit: 636e35d8ada49883fc16de3700a006f7daad6441
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=636e35d8ada49883fc16de3700a006f7daad6441

Author: Wolfram Sang <wolfram at the-dreams.de>
Date:   Mon May 17 04:57:36 2010 +0200

user32: Apply sanity-check in BITMAP_Load.

---

 dlls/user32/cursoricon.c       |    9 +++++++--
 dlls/user32/tests/cursoricon.c |   21 ++++++++++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c
index 8cccbbe..dcd94b1 100644
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -2421,12 +2421,16 @@ static HBITMAP BITMAP_Load( HINSTANCE instance, LPCWSTR name,
         if (bmfh->bfType != 0x4d42 /* 'BM' */)
         {
             WARN("Invalid/unsupported bitmap format!\n");
-            UnmapViewOfFile( ptr );
-            return 0;
+            goto end_close;
         }
         offbits = bmfh->bfOffBits - sizeof(BITMAPFILEHEADER);
     }
 
+    if (info->bmiHeader.biHeight > 65535 || info->bmiHeader.biWidth > 65535) {
+        WARN("Broken BitmapInfoHeader!\n");
+        goto end_close;
+    }
+
     size = bitmap_info_size(info, DIB_RGB_COLORS);
     fix_info = HeapAlloc(GetProcessHeap(), 0, size);
     scaled_info = HeapAlloc(GetProcessHeap(), 0, size);
@@ -2490,6 +2494,7 @@ end:
     if (screen_mem_dc) DeleteDC(screen_mem_dc);
     HeapFree(GetProcessHeap(), 0, scaled_info);
     HeapFree(GetProcessHeap(), 0, fix_info);
+end_close:
     if (loadflags & LR_LOADFROMFILE) UnmapViewOfFile( ptr );
 
     return hbitmap;
diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c
index a7be34f..8af4126 100644
--- a/dlls/user32/tests/cursoricon.c
+++ b/dlls/user32/tests/cursoricon.c
@@ -667,14 +667,14 @@ static void test_CreateIcon(void)
 
 /* Shamelessly ripped from dlls/oleaut32/tests/olepicture.c */
 /* 1x1 pixel gif */
-static const unsigned char gifimage[35] = {
+static unsigned char gifimage[35] = {
 0x47,0x49,0x46,0x38,0x37,0x61,0x01,0x00,0x01,0x00,0x80,0x00,0x00,0xff,0xff,0xff,
 0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x02,0x02,0x44,
 0x01,0x00,0x3b
 };
 
 /* 1x1 pixel jpg */
-static const unsigned char jpgimage[285] = {
+static unsigned char jpgimage[285] = {
 0xff,0xd8,0xff,0xe0,0x00,0x10,0x4a,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x01,0x2c,
 0x01,0x2c,0x00,0x00,0xff,0xdb,0x00,0x43,0x00,0x05,0x03,0x04,0x04,0x04,0x03,0x05,
 0x04,0x04,0x04,0x05,0x05,0x05,0x06,0x07,0x0c,0x08,0x07,0x07,0x07,0x07,0x0f,0x0b,
@@ -696,7 +696,7 @@ static const unsigned char jpgimage[285] = {
 };
 
 /* 1x1 pixel png */
-static const unsigned char pngimage[285] = {
+static unsigned char pngimage[285] = {
 0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a,0x00,0x00,0x00,0x0d,0x49,0x48,0x44,0x52,
 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53,
 0xde,0x00,0x00,0x00,0x09,0x70,0x48,0x59,0x73,0x00,0x00,0x0b,0x13,0x00,0x00,0x0b,
@@ -708,7 +708,7 @@ static const unsigned char pngimage[285] = {
 
 /* 1x1 pixel bmp with gap between palette and bitmap. Correct bitmap contains only
    zeroes, gap is 0xFF. */
-static const unsigned char bmpimage[70] = {
+static unsigned char bmpimage[70] = {
 0x42,0x4d,0x46,0x00,0x00,0x00,0xDE,0xAD,0xBE,0xEF,0x42,0x00,0x00,0x00,0x28,0x00,
 0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,
 0x00,0x00,0x04,0x00,0x00,0x00,0x12,0x0b,0x00,0x00,0x12,0x0b,0x00,0x00,0x02,0x00,
@@ -717,7 +717,7 @@ static const unsigned char bmpimage[70] = {
 };
 
 /* 2x2 pixel gif */
-static const unsigned char gif4pixel[42] = {
+static unsigned char gif4pixel[42] = {
 0x47,0x49,0x46,0x38,0x37,0x61,0x02,0x00,0x02,0x00,0xa1,0x00,0x00,0x00,0x00,0x00,
 0x39,0x62,0xfc,0xff,0x1a,0xe5,0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x02,0x00,
 0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b
@@ -746,7 +746,7 @@ static void test_LoadImageBitmap(HBITMAP hbm)
     ok(color_match(pixel, 0x00ffffff), "Pixel is 0x%08x\n", pixel);
 }
 
-static void test_LoadImageFile(const unsigned char * image_data,
+static void test_LoadImageFile(unsigned char * image_data,
     unsigned int image_size, const char * ext, BOOL expect_success)
 {
     HANDLE handle;
@@ -787,7 +787,7 @@ static void test_LoadImageFile(const unsigned char * image_data,
         "Last error: %u\n", error);
     if (handle != NULL) DestroyIcon(handle);
 
-    /* Load as bitmap. Should succeed if bmp, fail for everything else */
+    /* Load as bitmap. Should succeed for correct bmp, fail for everything else */
     SetLastError(0xdeadbeef);
     handle = LoadImageA(NULL, filename, IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE);
     error = GetLastError();
@@ -897,6 +897,13 @@ static void test_LoadImage(void)
     test_LoadImageFile(gif4pixel, sizeof(gif4pixel), "gif", 0);
     test_LoadImageFile(jpgimage, sizeof(jpgimage), "jpg", 0);
     test_LoadImageFile(pngimage, sizeof(pngimage), "png", 0);
+    /* Check failure for broken BMP images */
+    bmpimage[0x14]++; /* biHeight > 65535 */
+    test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+    bmpimage[0x14]--;
+    bmpimage[0x18]++; /* biWidth > 65535 */
+    test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+    bmpimage[0x18]--;
 }
 
 static void test_CreateIconFromResource(void)

More information about the wine-cvs mailing list