Alexandre Julliard : kernel32: Validate handle before freeing a LOAD_LIBRARY_AS_DATAFILE module.

Alexandre Julliard julliard at winehq.org
Fri Aug 23 09:31:25 CDT 2019 

Module: wine
Branch: stable
Commit: 9c41c5aa4637b104e8474407bef36f6c9ea114c4
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=9c41c5aa4637b104e8474407bef36f6c9ea114c4

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Fri Apr  5 09:42:09 2019 +0200

kernel32: Validate handle before freeing a LOAD_LIBRARY_AS_DATAFILE module.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46019
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
(cherry picked from commit 35d202fc0982da4e7ae3596414482318af118acb)
Signed-off-by: Michael Stefaniuc <mstefani at winehq.org>

---

 dlls/kernel32/module.c       | 8 +++++++-
 dlls/kernel32/tests/module.c | 5 +++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/dlls/kernel32/module.c b/dlls/kernel32/module.c
index 1199eff..17c0e95 100644
--- a/dlls/kernel32/module.c
+++ b/dlls/kernel32/module.c
@@ -1102,6 +1102,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule)
 
     if ((ULONG_PTR)hLibModule & 3) /* this is a datafile module */
     {
+        void *ptr = (void *)((ULONG_PTR)hLibModule & ~3);
+        if (!RtlImageNtHeader( ptr ))
+        {
+            SetLastError( ERROR_BAD_EXE_FORMAT );
+            return FALSE;
+        }
         if ((ULONG_PTR)hLibModule & 1)
         {
             struct exclusive_datafile *file;
@@ -1119,7 +1125,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule)
             }
             LdrUnlockLoaderLock( 0, magic );
         }
-        return UnmapViewOfFile( (void *)((ULONG_PTR)hLibModule & ~3) );
+        return UnmapViewOfFile( ptr );
     }
 
     if ((nts = LdrUnloadDll( hLibModule )) == STATUS_SUCCESS) retv = TRUE;
diff --git a/dlls/kernel32/tests/module.c b/dlls/kernel32/tests/module.c
index ba65e0a..2f1a5a5 100644
--- a/dlls/kernel32/tests/module.c
+++ b/dlls/kernel32/tests/module.c
@@ -439,6 +439,11 @@ static void testLoadLibraryEx(void)
     ok(hmodule != 0, "Expected valid module handle\n");
 
     SetLastError(0xdeadbeef);
+    ret = FreeLibrary( (HMODULE)((ULONG_PTR)hmodule + 0x1230));
+    ok(!ret, "Free succeeded on wrong handle\n");
+    ok(GetLastError() == ERROR_BAD_EXE_FORMAT, "wrong error %u\n", GetLastError());
+
+    SetLastError(0xdeadbeef);
     ret = FreeLibrary(hmodule);
     ok(ret, "Expected to be able to free the module, failed with %d\n", GetLastError());
     SetLastError(0xdeadbeef);

More information about the wine-cvs mailing list