[Bug 45104] New: OOB read in gdiplus
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue May 1 09:21:21 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45104
Bug ID: 45104
Summary: OOB read in gdiplus
Product: Wine
Version: 3.7
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdiplus
Assignee: wine-bugs at winehq.org
Reporter: robert.gawlik at rub.de
Distribution: ---
Original submitted report can be found here:
https://bugs.launchpad.net/ubuntu/+source/wine/+bug/1764719
(*) Out-of-bounds read in dlls/gdiplus/metafile.c:2528 (last commit:
dd2624a24fba400bf59b9396e496d16c43d399d9):
The parameters data, dataSize and recordType are completely user controlled and
flow into a memcpy() call in line 2528. If the length of data is less than
dataSize, then this results in an out-of-bounds read.
2461 GpStatus WINGDIPAPI GdipPlayMetafileRecord(GDIPCONST GpMetafile *metafile,
2462 EmfPlusRecordType recordType, UINT flags, UINT dataSize, GDIPCONST
BYTE *data)
2463 {
....
2471
2472 if (recordType >= 1 && recordType <= 0x7a)
2473 {
2474 /* regular EMF record */
2475 if (metafile->playback_dc)
2476 {
2477 switch (recordType)
2478 {
....
2520 default:
2521 {
2522 ENHMETARECORD *record = heap_alloc_zero(dataSize + 8);
// <== dataSize is completely user controlled
2523
2524 if (record)
2525 {
2526 record->iType = recordType;
2527 record->nSize = dataSize + 8;
2528 memcpy(record->dParm, data, dataSize);
// <== data is user controlled, memcpy performs OOB read
2529
2530 if(PlayEnhMetaFileRecord(metafile->playback_dc,
metafile->handle_table,
2531 record, metafile->handle_count) == 0)
// (record is user controlled => source of many
vulnerabilities)
2532 ERR("PlayEnhMetaFileRecord failed\n");
If you need more information (EMF trigger file, etc.) let me know!
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list