[04/11] windowscodecs: Check IFD structure when loading metadata.
Dmitry Timoshkov
dmitry at baikal.ru
Tue Jun 12 23:38:50 CDT 2012
---
dlls/windowscodecs/metadatahandler.c | 33 +++++++++++++++++++++++++++++++++
include/wincodec.idl | 1 +
2 files changed, 34 insertions(+)
diff --git a/dlls/windowscodecs/metadatahandler.c b/dlls/windowscodecs/metadatahandler.c
index d2eb8b3..6433136 100644
--- a/dlls/windowscodecs/metadatahandler.c
+++ b/dlls/windowscodecs/metadatahandler.c
@@ -733,6 +733,39 @@ static HRESULT LoadIfdMetadata(IStream *input, const GUID *preferred_vendor,
return hr;
}
+ /* limit number of IFDs to 4096 to avoid infinite loop */
+ for (i = 0; i < 4096; i++)
+ {
+ ULONG next_ifd_offset;
+ LARGE_INTEGER pos;
+ USHORT next_ifd_count;
+
+ hr = IStream_Read(input, &next_ifd_offset, sizeof(next_ifd_offset), NULL);
+ if (FAILED(hr)) break;
+
+ SWAP_ULONG(next_ifd_offset);
+ if (!next_ifd_offset) break;
+
+ pos.QuadPart = next_ifd_offset;
+ hr = IStream_Seek(input, pos, SEEK_SET, NULL);
+ if (FAILED(hr)) break;
+
+ hr = IStream_Read(input, &next_ifd_count, sizeof(next_ifd_count), NULL);
+ if (FAILED(hr)) break;
+
+ SWAP_USHORT(next_ifd_count);
+
+ pos.QuadPart = next_ifd_count * sizeof(*entry);
+ hr = IStream_Seek(input, pos, SEEK_CUR, NULL);
+ if (FAILED(hr)) break;
+ }
+
+ if (FAILED(hr) || i == 4096)
+ {
+ HeapFree(GetProcessHeap(), 0, entry);
+ return WINCODEC_ERR_BADMETADATAHEADER;
+ }
+
result = HeapAlloc(GetProcessHeap(), 0, count * sizeof(*result));
if (!result)
{
diff --git a/include/wincodec.idl b/include/wincodec.idl
index 9284499..275b60e 100644
--- a/include/wincodec.idl
+++ b/include/wincodec.idl
@@ -196,6 +196,7 @@ cpp_quote("#define WINCODEC_ERR_CODECNOTHUMBNAIL 0x88982f44")
cpp_quote("#define WINCODEC_ERR_PALETTEUNAVAILABLE 0x88982f45")
cpp_quote("#define WINCODEC_ERR_COMPONENTNOTFOUND 0x88982f50")
cpp_quote("#define WINCODEC_ERR_FRAMEMISSING 0x88982f62")
+cpp_quote("#define WINCODEC_ERR_BADMETADATAHEADER 0x88982f63")
cpp_quote("#define WINCODEC_ERR_UNSUPPORTEDPIXELFORMAT 0x88982f80")
cpp_quote("#define WINCODEC_ERR_UNSUPPORTEDOPERATION 0x88982f81")
cpp_quote("#define WINCODEC_ERR_INSUFFICIENTBUFFER 0x88982f8c")
--
1.7.10.1
More information about the wine-patches
mailing list