[PATCH] gdi32: Prevent integer overflow in CreateBitmapIndirect.
Lei Zhang
thestig at google.com
Tue Dec 16 20:27:48 CST 2008
Hi,
In bug 14664, the app tries to create a very large bitmap and causes an X error.
http://source.winehq.org/source/dlls/gdi32/bitmap.c#L276
is suppose to prevent that, but it fails because bm.bmHeight is 32759
and bm.bmWidthBytes is 131036, causing an integer overflow. This patch
should work around that problem.
-------------- next part --------------
From add486b932be2252ba8bc62f962ba26859e563b6 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig at google.com>
Date: Tue, 16 Dec 2008 18:24:29 -0800
Subject: [PATCH] gdi32: Prevent integer overflow in CreateBitmapIndirect.
---
dlls/gdi32/bitmap.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/dlls/gdi32/bitmap.c b/dlls/gdi32/bitmap.c
index e7370a2..2a083c5 100644
--- a/dlls/gdi32/bitmap.c
+++ b/dlls/gdi32/bitmap.c
@@ -274,7 +274,7 @@ HBITMAP WINAPI CreateBitmapIndirect( const BITMAP *bmp )
/* Windows ignores the provided bm.bmWidthBytes */
bm.bmWidthBytes = BITMAP_GetWidthBytes( bm.bmWidth, bm.bmBitsPixel );
/* XP doesn't allow to create bitmaps larger than 128 Mb */
- if (bm.bmHeight * bm.bmWidthBytes > 128 * 1024 * 1024)
+ if (bm.bmHeight > 128 * 1024 * 1024 / bm.bmWidthBytes)
{
SetLastError( ERROR_NOT_ENOUGH_MEMORY );
return 0;
--
1.5.4.5
More information about the wine-patches
mailing list