=?UTF-8?Q?Bernhard=20=C3=9Cbelacker=20?=: user32: Validate DIB offset in CURSORICON_GetFileEntry.
Alexandre Julliard
julliard at winehq.org
Tue Jan 30 14:38:14 CST 2018
Module: wine
Branch: master
Commit: 9256017adf1b32564d96a745d2ba79c09f0cb02a
URL: https://source.winehq.org/git/wine.git/?a=commit;h=9256017adf1b32564d96a745d2ba79c09f0cb02a
Author: Bernhard Übelacker <bernhardu at mailbox.org>
Date: Sun Jan 28 19:15:44 2018 +0100
user32: Validate DIB offset in CURSORICON_GetFileEntry.
Signed-off-by: Bernhard Übelacker <bernhardu at mailbox.org>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/user32/cursoricon.c | 1 +
dlls/user32/tests/cursoricon.c | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c
index 1203250..8e272f0 100644
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -678,6 +678,7 @@ static BOOL CURSORICON_GetFileEntry( LPCVOID dir, DWORD size, int n,
if ((const char *)&filedir->idEntries[n + 1] - (const char *)dir > size)
return FALSE;
entry = &filedir->idEntries[n];
+ if (entry->dwDIBOffset > size - sizeof(info->biSize)) return FALSE;
info = (const BITMAPINFOHEADER *)((const char *)dir + entry->dwDIBOffset);
if (info->biSize != sizeof(BITMAPCOREHEADER))
{
diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c
index 211376b..5099c08 100644
--- a/dlls/user32/tests/cursoricon.c
+++ b/dlls/user32/tests/cursoricon.c
@@ -1031,6 +1031,12 @@ static const unsigned char gif4pixel[42] = {
0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b
};
+/* An invalid cursor with an invalid dwDIBOffset */
+static const unsigned char invalid_dwDIBOffset[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00
+};
+
static const DWORD biSize_tests[] = {
0,
sizeof(BITMAPCOREHEADER) - 1,
@@ -1320,6 +1326,8 @@ static void test_LoadImage(void)
test_LoadImageFile("BMP (broken biSize)", bmpimage, sizeof(bmpimage), "bmp", 0);
}
bitmap_header->biSize = sizeof(BITMAPINFOHEADER);
+
+ test_LoadImageFile("Cursor (invalid dwDIBOffset)", invalid_dwDIBOffset, sizeof(invalid_dwDIBOffset), "cur", 0);
}
#undef ARRAY_SIZE
More information about the wine-cvs
mailing list