[Bug 21613] New: Stack buffer read overflow in GdipCreateBitmapFromScan0

[wine-bugs at winehq.org]

http://bugs.winehq.org/show_bug.cgi?id=21613

           Summary: Stack buffer read overflow in
                    GdipCreateBitmapFromScan0
           Product: Wine
           Version: 1.0.0
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdiplus
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com


The gdiplus image tests have long shown the following error in valgrind:
 Conditional jump or move depends on uninitialised value(s)
    at  X11DRV_DIB_GenColorMap (dib.c:367)
    by  X11DRV_DIB_BuildColorMap (dib.c:436)
    by  X11DRV_CreateDIBSection (dib.c:4742)
    by  CreateDIBSection (dib.c:1353)
    by  GdipCreateBitmapFromScan0 (image.c:1251)
    by  GdipCreateBitmapFromHBITMAP (image.c:2782)
    by  test_GdipCreateBitmapFromHBITMAP (image.c:512)
    by  func_image (image.c:1523)
    by  run_test (test.h:535)
    by  main (test.h:585)
  Uninitialised value was created by a stack allocation
    at  GdipCreateBitmapFromScan0 (image.c:1204)
e.g. http://kegel.com/wine/valgrind/logs/2010-01-04-10.14/vg-gdiplus_image.txt

Turns out, even though biClrUsed is zero, 
CreateDibSection expects the BITMAPINFO to have a valid color table;
see gdi32/dib.c line 1161:

   1160         colors = info->bmiHeader.biClrUsed;
   1161         if (!colors) colors = 1 << info->bmiHeader.biBitCount;

The attached patch gets rid of the warning, and lets the tests pass,
but seems wrong; the color table probably needs to have real values.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.