[Bug 30827] New: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo()

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jun 2 22:24:54 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=30827

             Bug #: 30827
           Summary: Uninitialized memory reference in
                    create_icon_pixmaps() -> GetDIBits() ->
                    bitmapinfoheader_from_user_bitmapinfo()
           Product: Wine
           Version: 1.5.5
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdi32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com
    Classification: Unclassified


While looking at bug 30826, I saw

 Conditional jump or move depends on uninitialised value(s)
  at bitmapinfoheader_from_user_bitmapinfo (dib.c:177)
  by GetDIBits (dib.c:1210)
  by create_icon_pixmaps.isra.8 (window.c:883)

create_icon_pixmaps calls GetDIBits with bits=NULL and a mostly uninitialized 
info, but bitmapinfoheader_from_user_bitmapinfo() assumes that biCompression 
has already been initialized.

gdi32/dib.c:
    149 static BOOL bitmapinfoheader_from_user_bitmapinfo( BITMAPINFOHEADER
*dst, const BITMAPINFOHEADER *info )
    150 {
    ...
    166     else if (info->biSize >= sizeof(BITMAPINFOHEADER)) /* assume
BITMAPINFOHEADER */
    167     {
    168         *dst = *info;
    169     }
...
    176     dst->biSize = sizeof(*dst);
    177     if (dst->biCompression == BI_RGB || dst->biCompression ==
BI_BITFIELDS)
    178         dst->biSizeImage = get_dib_image_size( (BITMAPINFO *)dst );

   1187 INT WINAPI GetDIBits(
   1188     HDC hdc,         /* [in]  Handle to device context */
   1189     HBITMAP hbitmap, /* [in]  Handle to bitmap */
   1190     UINT startscan,  /* [in]  First scan line to set in dest bitmap */
   1191     UINT lines,      /* [in]  Number of scan lines to copy */
   1192     LPVOID bits,       /* [out] Address of array for bitmap bits */
   1193     BITMAPINFO * info, /* [in,out] Address of structure with bitmap
data */
   1194     UINT coloruse)   /* [in]  RGB or palette index */
   1195 {
   ...
   1208     /* Since info may be a BITMAPCOREINFO or any of the larger
BITMAPINFO structures, we'll use our  
   1209        own copy and transfer the colour info back at the end */
   1210     if (!bitmapinfoheader_from_user_bitmapinfo( &dst_info->bmiHeader,
&info->bmiHeader )) return 0;
   ....
   1212     if (bits &&
   1213         (dst_info->bmiHeader.biCompression == BI_JPEG ||
dst_info->bmiHeader.biCompression == BI_PNG))

winex11.drv/window.c:
    868 static BOOL create_icon_pixmaps( HDC hdc, const ICONINFO *icon, struct
x11drv_win_data *data )
    869 {
    870     char buffer[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
    871     BITMAPINFO *info = (BITMAPINFO *)buffer;
    ...
    881     info->bmiHeader.biSize = sizeof(BITMAPINFOHEADER);
    882     info->bmiHeader.biBitCount = 0;
    883     if (!(lines = GetDIBits( hdc, icon->hbmColor, 0, 0, NULL, info,
DIB_RGB_COLORS ))) goto failed;

Note that GetDIBits is careful to avoid referencing biCompression itself
when bits is NULL, but the function it calls doesn't know whether bits is NULL.

(bug 30266 is nearby but doesn't seem related?)

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list