PATCH: metafile record length fix
Marcus Meissner
marcus at jet.franken.de
Sat Jan 21 03:25:49 CST 2006
Hi,
As discussed on some security mailinglists, the record
length must be at least 3 words (or the offset would point
into the current record).
Ciao, Marcus
Changelog:
Metafile records must be at least 3 words long.
Index: dlls/gdi/metafile.c
===================================================================
RCS file: /home/wine/wine/dlls/gdi/metafile.c,v
retrieving revision 1.13
diff -u -r1.13 metafile.c
--- dlls/gdi/metafile.c 18 Jan 2006 16:52:12 -0000 1.13
+++ dlls/gdi/metafile.c 21 Jan 2006 09:22:02 -0000
@@ -419,11 +419,10 @@
mr = (METARECORD *)((char *)mh + offset);
TRACE("offset=%04x,size=%08lx\n",
offset, mr->rdSize);
- if (!mr->rdSize) {
- TRACE(
- "Entry got size 0 at offset %d, total mf length is %ld\n",
- offset,mh->mtSize*2);
- break; /* would loop endlessly otherwise */
+ if (mr->rdSize < 3) { /* catch illegal record sizes */
+ TRACE("Entry got size %ld at offset %d, total mf length is %ld\n",
+ mr->rdSize,offset,mh->mtSize*2);
+ break;
}
offset += mr->rdSize * 2;
PlayMetaFileRecord( hdc, ht, mr, mh->mtNoObjects );
More information about the wine-patches
mailing list