PATCH: overflows with ClrUsed

Marcus Meissner marcus at jet.franken.de
Sun Feb 13 15:34:06 CST 2005


Hi,

The bitmap loading code uses "ClrUsed". However it usually silentely assumes
that it is <= 256 which it is 32bit unsigned.

This is one of the reported buffer overflow problems in Windows ;)

This patch adds some checks.

Ciao, Marcus

Index: dlls/gdi/dib.c
===================================================================
RCS file: /home/wine/wine/dlls/gdi/dib.c,v
retrieving revision 1.7
diff -u -r1.7 dib.c
--- dlls/gdi/dib.c	2 Nov 2004 05:23:49 -0000	1.7
+++ dlls/gdi/dib.c	13 Feb 2005 21:27:39 -0000
@@ -133,6 +133,7 @@
     else  /* assume BITMAPINFOHEADER */
     {
         colors = info->bmiHeader.biClrUsed;
+        if (colors > 256) colors = 256;
         if (!colors && (info->bmiHeader.biBitCount <= 8))
             colors = 1 << info->bmiHeader.biBitCount;
         return sizeof(BITMAPINFOHEADER) + colors *
Index: dlls/oleaut32/olepicture.c
===================================================================
RCS file: /home/wine/wine/dlls/oleaut32/olepicture.c,v
retrieving revision 1.51
diff -u -r1.51 olepicture.c
--- dlls/oleaut32/olepicture.c	14 Jan 2005 16:12:10 -0000	1.51
+++ dlls/oleaut32/olepicture.c	13 Feb 2005 21:27:44 -0000
@@ -1514,9 +1514,15 @@
     GetDIBits(hDC, hBitmap, 0, pInfoBitmap->bmiHeader.biHeight, pPixelData, pInfoBitmap, DIB_RGB_COLORS);
 
     /* Calculate the total length required for the BMP data */
-    if (pInfoBitmap->bmiHeader.biClrUsed != 0) iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
-    else if (pInfoBitmap->bmiHeader.biBitCount <= 8) iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
-    else iNumPaletteEntries = 0;
+    if (pInfoBitmap->bmiHeader.biClrUsed != 0) {
+	iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
+	if (iNumPaletteEntries > 256) iNumPaletteEntries = 256;
+    } else {
+	if (pInfoBitmap->bmiHeader.biBitCount <= 8)
+	    iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
+	else
+    	    iNumPaletteEntries = 0;
+    }
     *pLength =
         sizeof(BITMAPFILEHEADER) +
         sizeof(BITMAPINFOHEADER) +
@@ -1624,6 +1630,7 @@
 				||	(pInfoBitmap->bmiHeader.biBitCount == 24)
 				||	(pInfoBitmap->bmiHeader.biBitCount == 32 && pInfoBitmap->bmiHeader.biCompression == BI_RGB)) {
 				iNumEntriesPalette = pInfoBitmap->bmiHeader.biClrUsed;
+				if (iNumEntriesPalette > 256) iNumEntriesPalette = 256; 
 			} else if ((pInfoBitmap->bmiHeader.biBitCount == 16 || pInfoBitmap->bmiHeader.biBitCount == 32)
 				&& pInfoBitmap->bmiHeader.biCompression == BI_BITFIELDS) {
 				iNumEntriesPalette = 3;
Index: dlls/wineps/ps.c
===================================================================
RCS file: /home/wine/wine/dlls/wineps/ps.c,v
retrieving revision 1.30
diff -u -r1.30 ps.c
--- dlls/wineps/ps.c	2 Nov 2004 19:25:51 -0000	1.30
+++ dlls/wineps/ps.c	13 Feb 2005 21:27:46 -0000
@@ -854,6 +854,7 @@
 
     bits = (char*)bmi + bmi->bmiHeader.biSize;
     colours = bmi->bmiHeader.biClrUsed;
+    if (colours > 256) colours = 256;
     if(!colours && bmi->bmiHeader.biBitCount <= 8)
         colours = 1 << bmi->bmiHeader.biBitCount;
     bits += colours * ((usage == DIB_RGB_COLORS) ?
Index: windows/cursoricon.c
===================================================================
RCS file: /home/wine/wine/windows/cursoricon.c,v
retrieving revision 1.82
diff -u -r1.82 cursoricon.c
--- windows/cursoricon.c	19 Jan 2005 19:09:38 -0000	1.82
+++ windows/cursoricon.c	13 Feb 2005 21:27:50 -0000
@@ -219,6 +219,8 @@
     else  /* assume BITMAPINFOHEADER */
     {
         colors = info->bmiHeader.biClrUsed;
+	if (colors > 256) /* buffer overflow otherwise */
+		colors = 256;
         if (!colors && (info->bmiHeader.biBitCount <= 8))
             colors = 1 << info->bmiHeader.biBitCount;
         return sizeof(BITMAPINFOHEADER) + colors *
@@ -2043,6 +2045,7 @@
   {
       incr = 4;
       colors = bmi->bmiHeader.biClrUsed;
+      if (colors > 256) colors = 256;
       if (!colors && (bpp <= 8)) colors = 1 << bpp;
   }
   
-- 



More information about the wine-patches mailing list