Bruno Jesus : msvfw32: Lpckid and lpdwFlags must be valid memory addresses.

Alexandre Julliard julliard at wine.codeweavers.com
Tue Oct 20 11:28:29 CDT 2015 

Module: wine
Branch: master
Commit: 4cb36b9aaf087d07b2ff45ef89a51caf1984ce5f
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=4cb36b9aaf087d07b2ff45ef89a51caf1984ce5f

Author: Bruno Jesus <00cpxxx at gmail.com>
Date:   Tue Oct 20 14:56:22 2015 +0800

msvfw32: Lpckid and lpdwFlags must be valid memory addresses.

Otherwise codecs will crash while trying to write to it. Even though
MSDN states that NULL is allowed for lpckid that is not true.

Signed-off-by: Bruno Jesus <00cpxxx at gmail.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/msvfw32/msvideo_main.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/dlls/msvfw32/msvideo_main.c b/dlls/msvfw32/msvideo_main.c
index 1c38b75..d1a2283 100644
--- a/dlls/msvfw32/msvideo_main.c
+++ b/dlls/msvfw32/msvideo_main.c
@@ -1431,13 +1431,15 @@ BOOL VFWAPI ICSeqCompressFrameStart(PCOMPVARS pc, LPBITMAPINFO lpbiIn)
      * it doesn't appear to be used though
      */
     DWORD ret;
+    ICCOMPRESS* icComp;
     pc->lpbiIn = HeapAlloc(GetProcessHeap(), 0, sizeof(BITMAPINFO));
     if (!pc->lpbiIn)
         return FALSE;
 
     *pc->lpbiIn = *lpbiIn;
 
-    pc->lpState = HeapAlloc(GetProcessHeap(), 0, sizeof(ICCOMPRESS));
+    pc->lpState = HeapAlloc(GetProcessHeap(), 0, sizeof(ICCOMPRESS)
+                            + sizeof(*icComp->lpckid) + sizeof(*icComp->lpdwFlags));
     if (!pc->lpState)
         goto error;
 
@@ -1469,17 +1471,20 @@ BOOL VFWAPI ICSeqCompressFrameStart(PCOMPVARS pc, LPBITMAPINFO lpbiIn)
     TRACE(" -- %x\n", ret);
     if (ret == ICERR_OK)
     {
-       ICCOMPRESS* icComp = pc->lpState;
-       /* Initialise some variables */
-       pc->lFrame = 0; pc->lKeyCount = 0;
-
-       icComp->lpbiOutput = &pc->lpbiOut->bmiHeader;
-       icComp->lpbiInput = &pc->lpbiIn->bmiHeader;
-       icComp->lpckid = NULL;
-       icComp->dwFrameSize = 0;
-       icComp->dwQuality = pc->lQ;
-       icComp->lpbiPrev = &pc->lpbiIn->bmiHeader;
-       return TRUE;
+        icComp = pc->lpState;
+        /* Initialise some variables */
+        pc->lFrame = 0; pc->lKeyCount = 0;
+
+        icComp->lpbiOutput = &pc->lpbiOut->bmiHeader;
+        icComp->lpbiInput = &pc->lpbiIn->bmiHeader;
+        icComp->lpckid = (DWORD *)(icComp + 1);
+        *icComp->lpckid = 0;
+        icComp->lpdwFlags = (DWORD *)((char *)(icComp + 1) + sizeof(*icComp->lpckid));
+        *icComp->lpdwFlags = 0;
+        icComp->dwFrameSize = 0;
+        icComp->dwQuality = pc->lQ;
+        icComp->lpbiPrev = &pc->lpbiIn->bmiHeader;
+        return TRUE;
     }
 error:
     clear_compvars(pc);

More information about the wine-cvs mailing list