[v5 PATCH] comctl32/tooltip: Protect TTM_ADDTOOLW from invalid text pointers
Alistair Leslie-Hughes
leslie_alistair at hotmail.com
Tue Mar 1 00:46:23 CST 2016
Fixes https://bugs.winehq.org/show_bug.cgi?id=10347
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair at hotmail.com>
---
dlls/comctl32/tests/tooltips.c | 39 +++++++++++++++++++++++++++++++++++++++
dlls/comctl32/tooltips.c | 4 +++-
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/dlls/comctl32/tests/tooltips.c b/dlls/comctl32/tests/tooltips.c
index 3382fce..2f8bc90 100644
--- a/dlls/comctl32/tests/tooltips.c
+++ b/dlls/comctl32/tests/tooltips.c
@@ -446,6 +446,45 @@ static void test_gettext(void)
r = SendMessageW(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
ok(!r, "Adding the tool to the tooltip succeeded!\n");
+ /* lpszText with an invalid address */
+ toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+ toolinfoW.hwnd = notify;
+ toolinfoW.hinst = GetModuleHandleA(NULL);
+ toolinfoW.uFlags = 0;
+ toolinfoW.uId = 0;
+ toolinfoW.lpszText = (LPWSTR)0xdeadbeef;
+ toolinfoW.lParam = 0;
+ GetClientRect(hwnd, &toolinfoW.rect);
+ r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+ ok(!r, "Adding the tool to the tooltip succeeded!\n");
+
+ /* lpszText with an callback address */
+ toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+ toolinfoW.hwnd = notify;
+ toolinfoW.hinst = GetModuleHandleA(NULL);
+ toolinfoW.uFlags = 0;
+ toolinfoW.uId = 0;
+ toolinfoW.lpszText = LPSTR_TEXTCALLBACKW;
+ toolinfoW.lParam = 0;
+ GetClientRect(hwnd, &toolinfoW.rect);
+ r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+ ok(r, "Adding the tool to the tooltip failed!\n");
+
+ /* lpszText with an invalid address. Crashes using TTTOOLINFOA message */
+ if(0)
+ {
+ toolinfoA.cbSize = sizeof(TTTOOLINFOA);
+ toolinfoA.hwnd = notify;
+ toolinfoA.hinst = GetModuleHandleA(NULL);
+ toolinfoA.uFlags = 0;
+ toolinfoA.uId = 0;
+ toolinfoA.lpszText = (LPSTR)0xdeadbeef;
+ toolinfoA.lParam = 0;
+ GetClientRect(hwnd, &toolinfoA.rect);
+ r = SendMessageA(hwnd, TTM_ADDTOOLA, 0, (LPARAM)&toolinfoA);
+ ok(!r, "Adding the tool to the tooltip succeeded!\n");
+ }
+
if (0) /* crashes on NT4 */
{
toolinfoW.hwnd = NULL;
diff --git a/dlls/comctl32/tooltips.c b/dlls/comctl32/tooltips.c
index 8bf6919..43c02ee 100644
--- a/dlls/comctl32/tooltips.c
+++ b/dlls/comctl32/tooltips.c
@@ -1038,7 +1038,9 @@ TOOLTIPS_AddToolT (TOOLTIPS_INFO *infoPtr, const TTTOOLINFOW *ti, BOOL isW)
infoPtr->hwndSelf, ti->hwnd, ti->uId,
(ti->uFlags & TTF_IDISHWND) ? " TTF_IDISHWND" : "");
- if (ti->cbSize >= TTTOOLINFOW_V2_SIZE && !ti->lpszText && isW)
+ if (ti->cbSize >= TTTOOLINFOW_V2_SIZE && isW && (!ti->lpszText ||
+ (ti->lpszText != LPSTR_TEXTCALLBACKW &&
+ IsBadStringPtrW(ti->lpszText, sizeof(WCHAR)))))
return FALSE;
if (infoPtr->uNumTools == 0) {
--
1.9.1
More information about the wine-patches
mailing list