CURSORICON_SimulateLoadingFromResourceW param check. VFP6 EXEs
now work.
C. Daniel Mojoli B.
cdmojoli at idea.com.py
Tue Mar 23 13:45:00 CST 2004
Uwe Bonnes wrote:
>>>>>>"C" == C Daniel Mojoli B <cdmojoli at idea.com.py> writes:
>>>>>>
>>>>>>
>
> C> Add minimal parameter validation to function
> C> CURSORICON_SimulateLoadingFromResourceW(...). We check that the icon
>Providing a test case for such special behaviour is a good idea...
>
>
I created this patch as a result of consulting I performed at a
customer's site. I no longer have access to the winedbg info I had
there, so I can't provide a test. The situation is very simple to
describe. Essentially this is what happens:
1) VFP6 runtime encounters a command that requires loading a resource,
e.g. MODIFY SCREEN to put some background image.
2) The VFP6 runtime extracts the resource from the APP or EXE and places
it in a temp file, e.g. 12345678.TMP.
3) Since the VFP6 runtime cannot use file extension information as it
would if you were DOing SOME.PRG, it decides to try different ways of
loading it. At some point before hitting the right loading function it
tests whether the resource is a cursor icon by calling
LoadImageW(type=IMAGE_CURSOR). This is IMHO, a terrible way to program,
depending on failure semantics.
4) Now we are in Wine turf for the first time and LoadImageW ->
CURSORICON_Load -> CURSORICON_SimulateLoadingFromResourceW.
5) CURSORICON_SimulateLoadingFromResourceW maps the file to memory
(cursoricon.c:483), then tests if the file is a RIFF file
(cursoricon.c:488).
6) Execution continues until L507, where it is assumed the mapped file
is of icon structure. Here Wine tests if the number of icon entries !=
0, but our illegal file (JPEG, GIF, etc) hardly has a zero byte value at
all, so we pass the test.
7) We hit L513 and cause an exception when executing the following
expression: bits->idEntries[i]. The problem is that we are looping with
our index bound to the garbage number of icon entries! That garbage is
almost assured to be too large and we loop past the assigned memory.
8) Exception!
I created the patch using exactly the same technique L488 uses to test
for the RIFF case. I simply further test if that magic corresponds to
icon file magic, right between steps 5 and 6, before any other file data
is used.
Even if I hadn't encountered a problem with VFP6, I consider the patch
should be applied on the grounds it simply checks the magic of file to
conform to what is should be.
More information about the wine-devel
mailing list