Alexandre Julliard : user32: Add size checks when creating an icon from bitmap info.

Alexandre Julliard julliard at winehq.org
Thu Mar 28 15:30:23 CDT 2013 

Module: wine
Branch: master
Commit: 267109d6f1be4852b0167b7ed8a082031721f943
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=267109d6f1be4852b0167b7ed8a082031721f943

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Thu Mar 28 13:07:06 2013 +0100

user32: Add size checks when creating an icon from bitmap info.

---

 dlls/user32/cursoricon.c |   77 ++++++++++++++++++++++++++++++++--------------
 1 files changed, 54 insertions(+), 23 deletions(-)

diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c
index df11f56..fa1ba24 100644
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -796,11 +796,11 @@ done:
  *
  * Create an icon from its BITMAPINFO.
  */
-static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resname, HRSRC rsrc,
-                                   POINT hotspot, BOOL bIcon, INT width, INT height, UINT cFlag )
+static HICON create_icon_from_bmi( const BITMAPINFO *bmi, DWORD maxsize, HMODULE module, LPCWSTR resname,
+                                   HRSRC rsrc, POINT hotspot, BOOL bIcon, INT width, INT height,
+                                   UINT cFlag )
 {
-    unsigned int size = bitmap_info_size( bmi, DIB_RGB_COLORS );
-    BOOL monochrome = is_dib_monochrome( bmi );
+    DWORD size, color_size, mask_size;
     HBITMAP color = 0, mask = 0, alpha = 0;
     const void *color_bits, *mask_bits;
     BITMAPINFO *bmi_copy;
@@ -811,14 +811,35 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
 
     /* Check bitmap header */
 
+    if (maxsize < sizeof(BITMAPCOREHEADER))
+    {
+        WARN( "invalid size %u\n", maxsize );
+        return 0;
+    }
+    if (maxsize < bmi->bmiHeader.biSize)
+    {
+        WARN( "invalid header size %u\n", bmi->bmiHeader.biSize );
+        return 0;
+    }
     if ( (bmi->bmiHeader.biSize != sizeof(BITMAPCOREHEADER)) &&
          (bmi->bmiHeader.biSize != sizeof(BITMAPINFOHEADER)  ||
          (bmi->bmiHeader.biCompression != BI_RGB &&
           bmi->bmiHeader.biCompression != BI_BITFIELDS)) )
     {
-          WARN_(cursor)("\tinvalid resource bitmap header.\n");
-          return 0;
+        WARN( "invalid bitmap header %u\n", bmi->bmiHeader.biSize );
+        return 0;
+    }
+
+    size = bitmap_info_size( bmi, DIB_RGB_COLORS );
+    color_size = get_dib_image_size( bmi->bmiHeader.biWidth, bmi->bmiHeader.biHeight / 2,
+                                     bmi->bmiHeader.biBitCount );
+    mask_size = get_dib_image_size( bmi->bmiHeader.biWidth, bmi->bmiHeader.biHeight / 2, 1 );
+    if (size > maxsize || color_size > maxsize - size)
+    {
+        WARN( "truncated file %u < %u+%u+%u\n", maxsize, size, color_size, mask_size );
+        return 0;
     }
+    if (mask_size > maxsize - size - color_size) mask_size = 0;  /* no mask */
 
     if (cFlag & LR_DEFAULTSIZE)
     {
@@ -856,11 +877,10 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
     bmi_copy->bmiHeader.biHeight /= 2;
 
     color_bits = (const char*)bmi + size;
-    mask_bits = (const char*)color_bits +
-        get_dib_image_size( bmi->bmiHeader.biWidth, bmi_copy->bmiHeader.biHeight, bmi->bmiHeader.biBitCount );
+    mask_bits = (const char*)color_bits + color_size;
 
     alpha = 0;
-    if (monochrome)
+    if (is_dib_monochrome( bmi ))
     {
         if (!(mask = CreateBitmap( width, height * 2, 1, 1, NULL ))) goto done;
         color = 0;
@@ -908,10 +928,13 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
         }
     }
 
-    SelectObject( hdc, mask );
-    StretchDIBits( hdc, 0, 0, width, height,
-                   0, 0, bmi_copy->bmiHeader.biWidth, bmi_copy->bmiHeader.biHeight,
-                   mask_bits, bmi_copy, DIB_RGB_COLORS, SRCCOPY );
+    if (mask_size)
+    {
+        SelectObject( hdc, mask );
+        StretchDIBits( hdc, 0, 0, width, height,
+                       0, 0, bmi_copy->bmiHeader.biWidth, bmi_copy->bmiHeader.biHeight,
+                       mask_bits, bmi_copy, DIB_RGB_COLORS, SRCCOPY );
+    }
     ret = TRUE;
 
 done:
@@ -1170,7 +1193,6 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
                                             bits + bits_size - icon_data,
                                             width, height, depth, loadflags );
 
-        bmi = (const BITMAPINFO *) (icon_data + entry->dwDIBOffset);
         info->hotspot.x = entry->xHotspot;
         info->hotspot.y = entry->yHotspot;
         if (!header.width || !header.height)
@@ -1184,9 +1206,16 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
             frameHeight = header.height;
         }
 
-        /* Grab a frame from the animation */
-        frames[i] = create_icon_from_bmi( (BITMAPINFO *)bmi, NULL, NULL, NULL, info->hotspot,
-                                          is_icon, frameWidth, frameHeight, loadflags );
+        frames[i] = NULL;
+        if (entry->dwDIBOffset < bits + bits_size - icon_data)
+        {
+            bmi = (const BITMAPINFO *) (icon_data + entry->dwDIBOffset);
+            /* Grab a frame from the animation */
+            frames[i] = create_icon_from_bmi( bmi, bits + bits_size - (const BYTE *)bmi,
+                                              NULL, NULL, NULL, info->hotspot,
+                                              is_icon, frameWidth, frameHeight, loadflags );
+        }
+
         if (!frames[i])
         {
             FIXME_(cursor)("failed to convert animated cursor frame.\n");
@@ -1250,8 +1279,7 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
 /**********************************************************************
  *		CreateIconFromResourceEx (USER32.@)
  *
- * FIXME: Convert to mono when cFlag is LR_MONOCHROME. Do something
- *        with cbSize parameter as well.
+ * FIXME: Convert to mono when cFlag is LR_MONOCHROME.
  */
 HICON WINAPI CreateIconFromResourceEx( LPBYTE bits, UINT cbSize,
                                        BOOL bIcon, DWORD dwVersion,
@@ -1290,9 +1318,10 @@ HICON WINAPI CreateIconFromResourceEx( LPBYTE bits, UINT cbSize,
         hotspot.x = pt[0];
         hotspot.y = pt[1];
         bmi = (BITMAPINFO *)(pt + 2);
+        cbSize -= 2 * sizeof(*pt);
     }
 
-    return create_icon_from_bmi( bmi, NULL, NULL, NULL, hotspot, bIcon, width, height, cFlag );
+    return create_icon_from_bmi( bmi, cbSize, NULL, NULL, NULL, hotspot, bIcon, width, height, cFlag );
 }
 
 
@@ -1350,8 +1379,8 @@ static HICON CURSORICON_LoadFromFile( LPCWSTR filename,
 
     hotspot.x = entry->xHotspot;
     hotspot.y = entry->yHotspot;
-    hIcon = create_icon_from_bmi( (BITMAPINFO *)&bits[entry->dwDIBOffset], NULL, NULL, NULL,
-                                  hotspot, !fCursor, width, height, loadflags );
+    hIcon = create_icon_from_bmi( (BITMAPINFO *)&bits[entry->dwDIBOffset], filesize - entry->dwDIBOffset,
+                                  NULL, NULL, NULL, hotspot, !fCursor, width, height, loadflags );
 end:
     TRACE("loaded %s -> %p\n", debugstr_w( filename ), hIcon );
     UnmapViewOfFile( bits );
@@ -1438,6 +1467,7 @@ static HICON CURSORICON_Load(HINSTANCE hInstance, LPCWSTR name,
     }
 
     if (!(handle = LoadResource( hInstance, hRsrc ))) return 0;
+    size = SizeofResource( hInstance, hRsrc );
     bits = LockResource( handle );
 
     if (!fCursor)
@@ -1451,8 +1481,9 @@ static HICON CURSORICON_Load(HINSTANCE hInstance, LPCWSTR name,
         hotspot.x = pt[0];
         hotspot.y = pt[1];
         bits += 2 * sizeof(SHORT);
+        size -= 2 * sizeof(SHORT);
     }
-    hIcon = create_icon_from_bmi( (BITMAPINFO *)bits, hInstance, name, hRsrc,
+    hIcon = create_icon_from_bmi( (BITMAPINFO *)bits, size, hInstance, name, hRsrc,
                                   hotspot, !fCursor, width, height, loadflags );
     FreeResource( handle );
     return hIcon;

More information about the wine-cvs mailing list