patch for dlls/gdi32/dib.c: fixes crash
Wolfgang Walter
wine at stwm.de
Thu Jul 28 09:14:56 CDT 2011
Am Mittwoch, 27. Juli 2011 schrieben Sie:
> On Wed, Jul 27, 2011 at 6:44 PM, Wolfgang Walter <wine at stwm.de> wrote:
> > - char src_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
> > - BITMAPINFO *src_info = (BITMAPINFO *)src_bmibuf;
> > - char dst_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
> > - BITMAPINFO *dst_info = (BITMAPINFO *)dst_bmibuf;
>
> There's another instance of that in GetDIBits. Allocating 2KB+ (2 x
> 1064 bytes) of data on the stack is not very reasonable I guess.
>
Hmm, allocating the structure on the stack is not really the problem. The
problem is that part if the stack gets overwritten.
Allocating the these structures on the heap hides the bug mostly.
I think that
bitmapinfo_from_user_bitmapinfo()
is the real culprit. I think colors gets to big (> 256) and therefore the size
for the memcpy.
I just insert an test in bitmapinfo_from_user_bitmapinfo() if colors is larger
then 256 and this is indeed the case.
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
More information about the wine-devel
mailing list