Bruno Jesus : oleaut32: Cope with invalid icon data in OLEPictureImpl_LoadIcon.

Fri Oct 2 09:21:49 CDT 2015

Module: wine
Branch: master
Commit: 2f9987fd043d094c23430a1698f1a722be76b9bf
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=2f9987fd043d094c23430a1698f1a722be76b9bf

Author: Bruno Jesus <00cpxxx at gmail.com>
Date:   Tue Sep 29 22:15:45 2015 +0800

oleaut32: Cope with invalid icon data in OLEPictureImpl_LoadIcon.

Signed-off-by: Bruno Jesus <00cpxxx at gmail.com>

---

 dlls/oleaut32/olepicture.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/dlls/oleaut32/olepicture.c b/dlls/oleaut32/olepicture.c
index 5d0d801..5ce83e0 100644
--- a/dlls/oleaut32/olepicture.c
+++ b/dlls/oleaut32/olepicture.c
@@ -1210,6 +1210,8 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
     HDC hdcRef;
     int	i;
 
+    TRACE("(this %p, xbuf %p, xread %u)\n", This, xbuf, xread);
+
     /*
     FIXME("icon.idReserved=%d\n",cifd->idReserved);
     FIXME("icon.idType=%d\n",cifd->idType);
@@ -1226,6 +1228,13 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
 	FIXME("[%d] dwDIBOffset %d\n",i,cifd->idEntries[i].dwDIBOffset);
     }
     */
+
+    /* Need at least one icon to do something. */
+    if (!cifd->idCount)
+    {
+        ERR("Invalid icon count of zero.\n");
+        return E_FAIL;
+    }
     i=0;
     /* If we have more than one icon, try to find the best.
      * this currently means '32 pixel wide'.
@@ -1237,6 +1246,12 @@ static HRESULT OLEPictureImpl_LoadIcon(OLEPictureImpl *This, BYTE *xbuf, ULONG x
 	}
 	if (i==cifd->idCount) i=0;
     }
+    if (xread < cifd->idEntries[i].dwDIBOffset + cifd->idEntries[i].dwDIBSize)
+    {
+        ERR("Icon data address %u is over %u bytes available.\n",
+            cifd->idEntries[i].dwDIBOffset + cifd->idEntries[i].dwDIBSize, xread);
+        return E_FAIL;
+    }
     if (cifd->idType == 2)
     {
         LPBYTE buf = HeapAlloc(GetProcessHeap(), 0, cifd->idEntries[i].dwDIBSize + 4);


