[1/2] winemenubuilder: fix crash on invalid icon entries
Indrek Altpere
efbiaiinzinz at hotmail.com
Thu Aug 28 11:05:19 CDT 2014
Fixes https://bugs.winehq.org/show_bug.cgi?id=19241
For the InnoSetup 5 crash (and likely other similar reported crashes), the
issue seems to be GRPICONDIRENTRY with invalid information.
The dwBytesInRes has a value that exceeds the Size value in
IMAGE_RESOURCE_DATA_ENTRY, causing out-of-bounds memcpy and thus the crash.
dwBytesRes value 0x40028, as mentioned by Focht and existing in the
executable, seems to be the size of unpacked bitmap data (256x256x4 + 40
byte header) and not the actual size of compressed PNG bytes.
Added check+clipping against the out-of-bounds read, which fixes the
particular crash.
Regards,
Indrek
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: winemenubuilder_1_crash.txt
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20140828/0a951cda/attachment.txt>
More information about the wine-patches
mailing list