bug in OLEPictureImpl_Load (and possibly other stream readers)

Michael Blumenkrantz michael.blumenkrantz at gmail.com
Sun Sep 4 00:18:03 CDT 2011


I have been working with Bernhard Loos (jhgf) for the past couple days to track
down the source of http://bugs.winehq.org/show_bug.cgi?id=28235, and today I am
happy to report that I have finally located it!.

Attached are two files:
olefail.cpp - the source
olefail.txt - actually olefail.exe renamed to evade mailing list filters :)

This is a tiny demo app, most of which is copied right out of MSDN, which
showcases the problem. To break it down:

*On Windows, OLEPictureImpl_Load will read exactly 2 bytes for the header to
attempt to determine the length in the case that the stat() member function of
the stream interface is broken. This is acknowledged in a large block comment at
olepicture.c:1339. Wine then ignores this fact and reads 8 bytes. This is just
the tip of the bug, however!
*The major bug is that after this, at olepicture.c:1412, wine decides to
attempt to read a buffer of unknown size and content UNTIL THE END OF
THE BUFFER. While this may work for reading a string, when reading a binary
buffer you MUST know the size. I'm sure we all know this :)
*Unless the stream reader interface is fairly smart at this point and returns
0 bytes read (which seems unlikely if the stat() mechanism is broken), wine is
guaranteed to crash.

The solution here is to remove the broken "try until you die" method of
attempting to read more than 2 bytes of the unknown buffer. Instead, simply
return an error as Windows does and move on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: olefail.cpp
Type: text/x-c++src
Size: 4307 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20110904/f2afe72d/attachment.cpp>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: olefail.txt
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20110904/f2afe72d/attachment.txt>

More information about the wine-devel mailing list