[PATCH] user32: no sanity checks for BITMAPCOREINFO in BITMAP_Load

Wolfram Sang wolfram at the-dreams.de
Fri Jun 4 22:57:19 CDT 2010 

Fixes Bug #23021. Thanks to Rob for reporting and Rosanne DiMesio for
bisecting and providing further information!

Also adding a testcase. There, introduce and use a test description for
LoadImageBitmap() as the extension is not unique, so the printouts are
ambiguous.

Signed-off-by: Wolfram Sang <wolfram at the-dreams.de>
---
 dlls/user32/cursoricon.c       |   11 ++++++-----
 dlls/user32/tests/cursoricon.c |   40 ++++++++++++++++++++++++----------------
 2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c
index b54d9fd..0f8d7da 100644
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -2233,11 +2233,6 @@ static HBITMAP BITMAP_Load( HINSTANCE instance, LPCWSTR name,
         if (bmfh->bfOffBits) offbits = bmfh->bfOffBits - sizeof(BITMAPFILEHEADER);
     }
 
-    if (info->bmiHeader.biHeight > 65535 || info->bmiHeader.biWidth > 65535) {
-        WARN("Broken BitmapInfoHeader!\n");
-        goto end_close;
-    }
-
     size = bitmap_info_size(info, DIB_RGB_COLORS);
     fix_info = HeapAlloc(GetProcessHeap(), 0, size);
     scaled_info = HeapAlloc(GetProcessHeap(), 0, size);
@@ -2269,6 +2264,12 @@ static HBITMAP BITMAP_Load( HINSTANCE instance, LPCWSTR name,
     }
     else
     {
+        /* Some sanity checks for BITMAPINFO (not applicable to BITMAPCOREINFO) */
+        if (info->bmiHeader.biHeight > 65535 || info->bmiHeader.biWidth > 65535) {
+            WARN("Broken BitmapInfoHeader!\n");
+            goto end;
+        }
+
         scaled_info->bmiHeader.biWidth = new_width;
         scaled_info->bmiHeader.biHeight = new_height;
     }
diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c
index 8af4126..b2e1d84 100644
--- a/dlls/user32/tests/cursoricon.c
+++ b/dlls/user32/tests/cursoricon.c
@@ -716,6 +716,13 @@ static unsigned char bmpimage[70] = {
 0xFF,0xFF,0x00,0x00,0x00,0x00
 };
 
+/* 1x1 pixel bmp using BITMAPCOREHEADER */
+static unsigned char bmpcoreimage[38] = {
+0x42,0x4d,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x22,0x00,0x00,0x00,0x0c,0x00,
+0x00,0x00,0x01,0x00,0x01,0x00,0x01,0x00,0x01,0x00,0xff,0xff,0xff,0x00,0x55,0x55,
+0x55,0x00,0x00,0x00,0x00,0x00
+};
+
 /* 2x2 pixel gif */
 static unsigned char gif4pixel[42] = {
 0x47,0x49,0x46,0x38,0x37,0x61,0x02,0x00,0x02,0x00,0xa1,0x00,0x00,0x00,0x00,0x00,
@@ -723,7 +730,7 @@ static unsigned char gif4pixel[42] = {
 0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b
 };
 
-static void test_LoadImageBitmap(HBITMAP hbm)
+static void test_LoadImageBitmap(const char * test_desc, HBITMAP hbm)
 {
     BITMAP bm;
     BITMAPINFO bmi;
@@ -741,12 +748,12 @@ static void test_LoadImageBitmap(HBITMAP hbm)
     bmi.bmiHeader.biBitCount= 24;
     bmi.bmiHeader.biCompression= BI_RGB;
     ret = GetDIBits(hdc, hbm, 0, bm.bmHeight, &pixel, &bmi, DIB_RGB_COLORS);
-    ok(ret == bm.bmHeight, "%d lines were converted, not %d\n", ret, bm.bmHeight);
+    ok(ret == bm.bmHeight, "%s: %d lines were converted, not %d\n", test_desc, ret, bm.bmHeight);
 
-    ok(color_match(pixel, 0x00ffffff), "Pixel is 0x%08x\n", pixel);
+    ok(color_match(pixel, 0x00ffffff), "%s: Pixel is 0x%08x\n", test_desc, pixel);
 }
 
-static void test_LoadImageFile(unsigned char * image_data,
+static void test_LoadImageFile(const char * test_desc, unsigned char * image_data,
     unsigned int image_size, const char * ext, BOOL expect_success)
 {
     HANDLE handle;
@@ -768,7 +775,7 @@ static void test_LoadImageFile(unsigned char * image_data,
     /* Load as cursor. For all tested formats, this should fail */
     SetLastError(0xdeadbeef);
     handle = LoadImageA(NULL, filename, IMAGE_CURSOR, 0, 0, LR_LOADFROMFILE);
-    ok(handle == NULL, "LoadImage(%s) as IMAGE_CURSOR succeeded incorrectly.\n", ext);
+    ok(handle == NULL, "%s: IMAGE_CURSOR succeeded incorrectly.\n", test_desc);
     error = GetLastError();
     ok(error == 0 ||
         broken(error == 0xdeadbeef) || /* Win9x */
@@ -779,7 +786,7 @@ static void test_LoadImageFile(unsigned char * image_data,
     /* Load as icon. For all tested formats, this should fail */
     SetLastError(0xdeadbeef);
     handle = LoadImageA(NULL, filename, IMAGE_ICON, 0, 0, LR_LOADFROMFILE);
-    ok(handle == NULL, "LoadImage(%s) as IMAGE_ICON succeeded incorrectly.\n", ext);
+    ok(handle == NULL, "%s: IMAGE_ICON succeeded incorrectly.\n", test_desc);
     error = GetLastError();
     ok(error == 0 ||
         broken(error == 0xdeadbeef) || /* Win9x */
@@ -796,10 +803,10 @@ static void test_LoadImageFile(unsigned char * image_data,
         "Last error: %u\n", error);
 
     if (expect_success) {
-        ok(handle != NULL, "LoadImage(%s) as IMAGE_BITMAP failed.\n", ext);
-        if (handle != NULL) test_LoadImageBitmap(handle);
+        ok(handle != NULL, "%s: IMAGE_BITMAP failed.\n", test_desc);
+        if (handle != NULL) test_LoadImageBitmap(test_desc, handle);
     }
-    else ok(handle == NULL, "LoadImage(%s) as IMAGE_BITMAP succeeded incorrectly.\n", ext);
+    else ok(handle == NULL, "%s: IMAGE_BITMAP succeeded incorrectly.\n", test_desc);
 
     if (handle != NULL) DeleteObject(handle);
     DeleteFileA(filename);
@@ -892,17 +899,18 @@ static void test_LoadImage(void)
     HeapFree(GetProcessHeap(), 0, icon_data);
     DeleteFileA("icon.ico");
 
-    test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 1);
-    test_LoadImageFile(gifimage, sizeof(gifimage), "gif", 0);
-    test_LoadImageFile(gif4pixel, sizeof(gif4pixel), "gif", 0);
-    test_LoadImageFile(jpgimage, sizeof(jpgimage), "jpg", 0);
-    test_LoadImageFile(pngimage, sizeof(pngimage), "png", 0);
+    test_LoadImageFile("BMP", bmpimage, sizeof(bmpimage), "bmp", 1);
+    test_LoadImageFile("BMP (coreinfo)", bmpcoreimage, sizeof(bmpcoreimage), "bmp", 1);
+    test_LoadImageFile("GIF", gifimage, sizeof(gifimage), "gif", 0);
+    test_LoadImageFile("GIF (2x2 pixel)", gif4pixel, sizeof(gif4pixel), "gif", 0);
+    test_LoadImageFile("JPG", jpgimage, sizeof(jpgimage), "jpg", 0);
+    test_LoadImageFile("PNG", pngimage, sizeof(pngimage), "png", 0);
     /* Check failure for broken BMP images */
     bmpimage[0x14]++; /* biHeight > 65535 */
-    test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+    test_LoadImageFile("BMP (too high)", bmpimage, sizeof(bmpimage), "bmp", 0);
     bmpimage[0x14]--;
     bmpimage[0x18]++; /* biWidth > 65535 */
-    test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 0);
+    test_LoadImageFile("BMP (too wide)", bmpimage, sizeof(bmpimage), "bmp", 0);
     bmpimage[0x18]--;
 }
 
-- 
1.7.0

More information about the wine-patches mailing list