winemenubuilder: fix crash caused by invalid icon entries and avoid future crashes by ignoring unhandled png entries (resend)
Indrek Altpere
efbiaiinzinz at hotmail.com
Thu Aug 28 01:30:34 CDT 2014
Forgot to link to the bug before, also added more detailed description.
Fixes https://bugs.winehq.org/show_bug.cgi?id=19241
For the InnoSetup 5 crash (and likely other similar reported crashes), the
issue seems to be GRPICONDIRENTRY with invalid information.
The dwBytesInRes has a value that exceeds the Size value in
IMAGE_RESOURCE_DATA_ENTRY, causing out-of-bounds memcpy and thus the crash.
dwBytesRes value 0x40028, as mentioned by Focht and existing in the
executable, seems to be the size of unpacked bitmap data (256x256x4 + 40
byte header) and not the actual size of compressed PNG bytes.
Added check+clipping against the out-of-bounds read, which fixes the
particular crash.
As per MSDN blog, icon resources can contain raw PNG information instead of
regular BITMAPINFO, but due to weird decisions, only way to differentiate
between them is to check if the resource starts with PNG header bytes.
http://blogs.msdn.com/b/oldnewthing/archive/2010/10/22/10079192.aspx
Made the winemenubuilder ignore such entries for now (with fixme notices),
since using PNG raw bytes as BITMAPINFO data is definitely invalid and is
due to cause other issues/crashes when the best matching size icon happens
to be PNG. A new bug should be opened for the missing PNG support.
Regards,
Indrek
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: winemenubuilder-fix.txt
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20140828/4780ad0b/attachment.txt>
More information about the wine-patches
mailing list