RFC/PATCH: avoid metafilevirus problems
Marcus Meissner
marcus at jet.franken.de
Mon Jan 2 14:54:22 CST 2006
Hi,
requesting comments...
This patch reduces the attack vector on metafiles.
I originally wanted to filter only SETABORTPROC,
but there are a lot of things that might be used
to inject code.
Comments?
Ciao, Marcus
Changelog:
Only allow whitelisted escape codes when playing metafiles.
Index: dlls/gdi/metafile.c
===================================================================
RCS file: /home/wine/wine/dlls/gdi/metafile.c,v
retrieving revision 1.10
diff -u -r1.10 metafile.c
--- dlls/gdi/metafile.c 5 Nov 2005 10:45:02 -0000 1.10
+++ dlls/gdi/metafile.c 2 Jan 2006 20:52:42 -0000
@@ -1121,10 +1121,57 @@
GDIRealizePalette(hdc);
break;
- case META_ESCAPE:
+ case META_ESCAPE: {
+ BOOL passdown = FALSE;
+
+ switch (mr->rdParm[0]) {
+ case SETABORTPROC:
+ FIXME("NOTE: Suppressing SETABORTPROC in metafile, possible exploit.\n");
+ break;
+ case STARTDOC:
+ case ABORTDOC:
+ case ENDDOC:
+ case NEWFRAME:
+ case NEXTBAND:
+ case SETCOPYCOUNT:
+ case SETCOLORTABLE:
+ case FLUSHOUTPUT:
+ case DRAFTMODE:
+ case SELECTPAPERSOURCE:
+ case SETLINECAP:
+ case SETLINEJOIN:
+ case SETMITERLIMIT:
+ case DRAWPATTERNRECT:
+ case ENABLEDUPLEX:
+ case EPSPRINTING:
+ case SETDIBSCALING:
+ case EXTTEXTOUT:
+ case ENABLEPAIRKERNING:
+ case SETCHARSET:
+ case SETKERNTRACK:
+ case SETALLJUSTVALUES:
+ case STRETCHBLT:
+ case BEGIN_PATH:
+ case CLIP_TO_PATH:
+ case END_PATH:
+ case SET_ARC_DIRECTION:
+ case SET_BACKGROUND_COLOR:
+ case SET_POLY_MODE:
+ case SET_SCREEN_ANGLE:
+ case SET_SPREAD:
+ case TRANSFORM_CTM:
+ case SET_CLIP_BOX:
+ case SET_BOUNDS:
+ case SET_MIRROR_MODE:
+ passdown = TRUE;
+ break;
+ default:
+ FIXME("Ignoring strange Escape code %d in Metafile.\n");
+ break;
+ }
Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
break;
-
+ }
case META_EXTTEXTOUT:
MF_Play_MetaExtTextOut( hdc, mr );
break;
More information about the wine-devel
mailing list