PATCH: overflows with ClrUsed
Marcus Meissner
marcus at jet.franken.de
Sun Feb 13 15:34:06 CST 2005
Hi,
The bitmap loading code uses "ClrUsed". However it usually silentely assumes
that it is <= 256 which it is 32bit unsigned.
This is one of the reported buffer overflow problems in Windows ;)
This patch adds some checks.
Ciao, Marcus
Index: dlls/gdi/dib.c
===================================================================
RCS file: /home/wine/wine/dlls/gdi/dib.c,v
retrieving revision 1.7
diff -u -r1.7 dib.c
--- dlls/gdi/dib.c 2 Nov 2004 05:23:49 -0000 1.7
+++ dlls/gdi/dib.c 13 Feb 2005 21:27:39 -0000
@@ -133,6 +133,7 @@
else /* assume BITMAPINFOHEADER */
{
colors = info->bmiHeader.biClrUsed;
+ if (colors > 256) colors = 256;
if (!colors && (info->bmiHeader.biBitCount <= 8))
colors = 1 << info->bmiHeader.biBitCount;
return sizeof(BITMAPINFOHEADER) + colors *
Index: dlls/oleaut32/olepicture.c
===================================================================
RCS file: /home/wine/wine/dlls/oleaut32/olepicture.c,v
retrieving revision 1.51
diff -u -r1.51 olepicture.c
--- dlls/oleaut32/olepicture.c 14 Jan 2005 16:12:10 -0000 1.51
+++ dlls/oleaut32/olepicture.c 13 Feb 2005 21:27:44 -0000
@@ -1514,9 +1514,15 @@
GetDIBits(hDC, hBitmap, 0, pInfoBitmap->bmiHeader.biHeight, pPixelData, pInfoBitmap, DIB_RGB_COLORS);
/* Calculate the total length required for the BMP data */
- if (pInfoBitmap->bmiHeader.biClrUsed != 0) iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
- else if (pInfoBitmap->bmiHeader.biBitCount <= 8) iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
- else iNumPaletteEntries = 0;
+ if (pInfoBitmap->bmiHeader.biClrUsed != 0) {
+ iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
+ if (iNumPaletteEntries > 256) iNumPaletteEntries = 256;
+ } else {
+ if (pInfoBitmap->bmiHeader.biBitCount <= 8)
+ iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
+ else
+ iNumPaletteEntries = 0;
+ }
*pLength =
sizeof(BITMAPFILEHEADER) +
sizeof(BITMAPINFOHEADER) +
@@ -1624,6 +1630,7 @@
|| (pInfoBitmap->bmiHeader.biBitCount == 24)
|| (pInfoBitmap->bmiHeader.biBitCount == 32 && pInfoBitmap->bmiHeader.biCompression == BI_RGB)) {
iNumEntriesPalette = pInfoBitmap->bmiHeader.biClrUsed;
+ if (iNumEntriesPalette > 256) iNumEntriesPalette = 256;
} else if ((pInfoBitmap->bmiHeader.biBitCount == 16 || pInfoBitmap->bmiHeader.biBitCount == 32)
&& pInfoBitmap->bmiHeader.biCompression == BI_BITFIELDS) {
iNumEntriesPalette = 3;
Index: dlls/wineps/ps.c
===================================================================
RCS file: /home/wine/wine/dlls/wineps/ps.c,v
retrieving revision 1.30
diff -u -r1.30 ps.c
--- dlls/wineps/ps.c 2 Nov 2004 19:25:51 -0000 1.30
+++ dlls/wineps/ps.c 13 Feb 2005 21:27:46 -0000
@@ -854,6 +854,7 @@
bits = (char*)bmi + bmi->bmiHeader.biSize;
colours = bmi->bmiHeader.biClrUsed;
+ if (colours > 256) colours = 256;
if(!colours && bmi->bmiHeader.biBitCount <= 8)
colours = 1 << bmi->bmiHeader.biBitCount;
bits += colours * ((usage == DIB_RGB_COLORS) ?
Index: windows/cursoricon.c
===================================================================
RCS file: /home/wine/wine/windows/cursoricon.c,v
retrieving revision 1.82
diff -u -r1.82 cursoricon.c
--- windows/cursoricon.c 19 Jan 2005 19:09:38 -0000 1.82
+++ windows/cursoricon.c 13 Feb 2005 21:27:50 -0000
@@ -219,6 +219,8 @@
else /* assume BITMAPINFOHEADER */
{
colors = info->bmiHeader.biClrUsed;
+ if (colors > 256) /* buffer overflow otherwise */
+ colors = 256;
if (!colors && (info->bmiHeader.biBitCount <= 8))
colors = 1 << info->bmiHeader.biBitCount;
return sizeof(BITMAPINFOHEADER) + colors *
@@ -2043,6 +2045,7 @@
{
incr = 4;
colors = bmi->bmiHeader.biClrUsed;
+ if (colors > 256) colors = 256;
if (!colors && (bpp <= 8)) colors = 1 << bpp;
}
--
More information about the wine-patches
mailing list