Dmitry Timoshkov : windowscodecs: Check IFD structure when loading metadata .

Alexandre Julliard julliard at winehq.org
Thu Jun 14 15:31:32 CDT 2012


Module: wine
Branch: master
Commit: 7cf036a471e5a170a8a0d9f3ca4d718bf31c4d18
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=7cf036a471e5a170a8a0d9f3ca4d718bf31c4d18

Author: Dmitry Timoshkov <dmitry at baikal.ru>
Date:   Wed Jun 13 18:31:09 2012 +0900

windowscodecs: Check IFD structure when loading metadata.

---

 dlls/windowscodecs/metadatahandler.c |   33 +++++++++++++++++++++++++++++++++
 include/wincodec.idl                 |    1 +
 2 files changed, 34 insertions(+), 0 deletions(-)

diff --git a/dlls/windowscodecs/metadatahandler.c b/dlls/windowscodecs/metadatahandler.c
index d2eb8b3..6433136 100644
--- a/dlls/windowscodecs/metadatahandler.c
+++ b/dlls/windowscodecs/metadatahandler.c
@@ -733,6 +733,39 @@ static HRESULT LoadIfdMetadata(IStream *input, const GUID *preferred_vendor,
         return hr;
     }
 
+    /* limit number of IFDs to 4096 to avoid infinite loop */
+    for (i = 0; i < 4096; i++)
+    {
+        ULONG next_ifd_offset;
+        LARGE_INTEGER pos;
+        USHORT next_ifd_count;
+
+        hr = IStream_Read(input, &next_ifd_offset, sizeof(next_ifd_offset), NULL);
+        if (FAILED(hr)) break;
+
+        SWAP_ULONG(next_ifd_offset);
+        if (!next_ifd_offset) break;
+
+        pos.QuadPart = next_ifd_offset;
+        hr = IStream_Seek(input, pos, SEEK_SET, NULL);
+        if (FAILED(hr)) break;
+
+        hr = IStream_Read(input, &next_ifd_count, sizeof(next_ifd_count), NULL);
+        if (FAILED(hr)) break;
+
+        SWAP_USHORT(next_ifd_count);
+
+        pos.QuadPart = next_ifd_count * sizeof(*entry);
+        hr = IStream_Seek(input, pos, SEEK_CUR, NULL);
+        if (FAILED(hr)) break;
+    }
+
+    if (FAILED(hr) || i == 4096)
+    {
+        HeapFree(GetProcessHeap(), 0, entry);
+        return WINCODEC_ERR_BADMETADATAHEADER;
+    }
+
     result = HeapAlloc(GetProcessHeap(), 0, count * sizeof(*result));
     if (!result)
     {
diff --git a/include/wincodec.idl b/include/wincodec.idl
index c587ff4..82f419c 100644
--- a/include/wincodec.idl
+++ b/include/wincodec.idl
@@ -206,6 +206,7 @@ cpp_quote("#define WINCODEC_ERR_CODECNOTHUMBNAIL 0x88982f44")
 cpp_quote("#define WINCODEC_ERR_PALETTEUNAVAILABLE 0x88982f45")
 cpp_quote("#define WINCODEC_ERR_COMPONENTNOTFOUND 0x88982f50")
 cpp_quote("#define WINCODEC_ERR_FRAMEMISSING 0x88982f62")
+cpp_quote("#define WINCODEC_ERR_BADMETADATAHEADER 0x88982f63")
 cpp_quote("#define WINCODEC_ERR_UNSUPPORTEDPIXELFORMAT 0x88982f80")
 cpp_quote("#define WINCODEC_ERR_UNSUPPORTEDOPERATION 0x88982f81")
 cpp_quote("#define WINCODEC_ERR_INSUFFICIENTBUFFER 0x88982f8c")




More information about the wine-cvs mailing list