From 70807dd956f918e95cc98b02522e3a8fe99f81b9 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 18 Jul 2008 15:44:32 -0700 Subject: [PATCH 2/2] gdiplus: Detect integer overflow in GdipCreateBitmapFromScan0. --- dlls/gdiplus/image.c | 14 ++++++++++---- dlls/gdiplus/tests/image.c | 10 ++++++++++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/dlls/gdiplus/image.c b/dlls/gdiplus/image.c index 25a5c4d..94353a7 100644 --- a/dlls/gdiplus/image.c +++ b/dlls/gdiplus/image.c @@ -411,16 +411,22 @@ GpStatus WINGDIPAPI GdipCreateBitmapFromScan0(INT width, INT height, INT stride, return InvalidParameter; } - *bitmap = GdipAlloc(sizeof(GpBitmap)); - if(!*bitmap) return OutOfMemory; - if(stride == 0){ stride = width * (PIXELFORMATBPP(format) / 8); stride = (stride + 3) & ~3; } - datalen = abs(stride * height); + datalen = stride * height; size = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + datalen; + if (datalen <= 0 || size <= 0){ + GdipFree(*bitmap); + *bitmap = NULL; + return InvalidParameter; + } + + *bitmap = GdipAlloc(sizeof(GpBitmap)); + if(!*bitmap) return OutOfMemory; + buff = GdipAlloc(size); if(!buff){ GdipFree(*bitmap); diff --git a/dlls/gdiplus/tests/image.c b/dlls/gdiplus/tests/image.c index 49d1e5e..b4cbb8c 100644 --- a/dlls/gdiplus/tests/image.c +++ b/dlls/gdiplus/tests/image.c @@ -87,6 +87,16 @@ static void test_Scan0(void) stat = GdipCreateBitmapFromScan0(10, 10, -10, PixelFormat24bppRGB, buff, &bm); expect(InvalidParameter, stat); expect(NULL, bm); + + bm = (GpBitmap*)0xdeadbeef; + stat = GdipCreateBitmapFromScan0(32767, 32767, 0, PixelFormat24bppRGB, NULL, &bm); + expect(InvalidParameter, stat); + expect(NULL, bm); + + bm = (GpBitmap*)0xdeadbeef; + stat = GdipCreateBitmapFromScan0(32767, 32767, 0, PixelFormat32bppRGB, NULL, &bm); + expect(InvalidParameter, stat); + expect(NULL, bm); } static void test_GetImageDimension(void) -- 1.5.4.5