[PATCH] gdi32: Prevent integer overflow in CreateBitmapIndirect.

Lei Zhang thestig at google.com
Tue Dec 16 20:27:48 CST 2008


Hi,

In bug 14664, the app tries to create a very large bitmap and causes an X error.

http://source.winehq.org/source/dlls/gdi32/bitmap.c#L276

is suppose to prevent that, but it fails because bm.bmHeight is 32759
and bm.bmWidthBytes is 131036, causing an integer overflow. This patch
should work around that problem.
-------------- next part --------------
From add486b932be2252ba8bc62f962ba26859e563b6 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig at google.com>
Date: Tue, 16 Dec 2008 18:24:29 -0800
Subject: [PATCH] gdi32: Prevent integer overflow in CreateBitmapIndirect.

---
 dlls/gdi32/bitmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/dlls/gdi32/bitmap.c b/dlls/gdi32/bitmap.c
index e7370a2..2a083c5 100644
--- a/dlls/gdi32/bitmap.c
+++ b/dlls/gdi32/bitmap.c
@@ -274,7 +274,7 @@ HBITMAP WINAPI CreateBitmapIndirect( const BITMAP *bmp )
     /* Windows ignores the provided bm.bmWidthBytes */
     bm.bmWidthBytes = BITMAP_GetWidthBytes( bm.bmWidth, bm.bmBitsPixel );
     /* XP doesn't allow to create bitmaps larger than 128 Mb */
-    if (bm.bmHeight * bm.bmWidthBytes > 128 * 1024 * 1024)
+    if (bm.bmHeight > 128 * 1024 * 1024 / bm.bmWidthBytes)
     {
         SetLastError( ERROR_NOT_ENOUGH_MEMORY );
         return 0;
-- 
1.5.4.5


More information about the wine-patches mailing list