[PATCH] comctl32/tooltips: Protect TTM_ADDTOOLW from invalid text pointers

[Nikolay Sivov]

From: Alistair Leslie-Hughes <leslie_alistair at hotmail.com>

Signed-off-by: Nikolay Sivov <nsivov at codeweavers.com>
---

For https://bugs.winehq.org/show_bug.cgi?id=10347

 dlls/comctl32/tests/tooltips.c | 39 +++++++++++++++++++++++++++++++++++++++
 dlls/comctl32/tooltips.c       |  5 +++++
 2 files changed, 44 insertions(+)

diff --git a/dlls/comctl32/tests/tooltips.c b/dlls/comctl32/tests/tooltips.c
index 3382fce..74663a6 100644
--- a/dlls/comctl32/tests/tooltips.c
+++ b/dlls/comctl32/tests/tooltips.c
@@ -446,6 +446,45 @@ static void test_gettext(void)
     r = SendMessageW(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
     ok(!r, "Adding the tool to the tooltip succeeded!\n");
 
+    /* invalid text pointer */
+    toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+    toolinfoW.hwnd = notify;
+    toolinfoW.hinst = GetModuleHandleA(NULL);
+    toolinfoW.uFlags = 0;
+    toolinfoW.uId = 0;
+    toolinfoW.lpszText = (LPWSTR)0xdeadbeef;
+    toolinfoW.lParam = 0;
+    GetClientRect(hwnd, &toolinfoW.rect);
+    r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+    ok(!r, "Adding the tool to the tooltip succeeded!\n");
+
+    /* callback text */
+    toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+    toolinfoW.hwnd = notify;
+    toolinfoW.hinst = GetModuleHandleA(NULL);
+    toolinfoW.uFlags = 0;
+    toolinfoW.uId = 0;
+    toolinfoW.lpszText = LPSTR_TEXTCALLBACKW;
+    toolinfoW.lParam = 0;
+    GetClientRect(hwnd, &toolinfoW.rect);
+    r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+    ok(r, "Adding the tool to the tooltip failed!\n");
+
+    /* TTM_ADDTOOLA does not handle invalid addresses */
+    if (0)
+    {
+        toolinfoA.cbSize = sizeof(TTTOOLINFOA);
+        toolinfoA.hwnd = notify;
+        toolinfoA.hinst = GetModuleHandleA(NULL);
+        toolinfoA.uFlags = 0;
+        toolinfoA.uId = 0;
+        toolinfoA.lpszText = (LPSTR)0xdeadbeef;
+        toolinfoA.lParam = 0;
+        GetClientRect(hwnd, &toolinfoA.rect);
+        r = SendMessageA(hwnd, TTM_ADDTOOLA, 0, (LPARAM)&toolinfoA);
+        ok(!r, "Adding the tool to the tooltip succeeded!\n");
+    }
+
     if (0)  /* crashes on NT4 */
     {
         toolinfoW.hwnd = NULL;
diff --git a/dlls/comctl32/tooltips.c b/dlls/comctl32/tooltips.c
index 8bf6919..f4a8f85 100644
--- a/dlls/comctl32/tooltips.c
+++ b/dlls/comctl32/tooltips.c
@@ -1041,6 +1041,11 @@ TOOLTIPS_AddToolT (TOOLTIPS_INFO *infoPtr, const TTTOOLINFOW *ti, BOOL isW)
     if (ti->cbSize >= TTTOOLINFOW_V2_SIZE && !ti->lpszText && isW)
         return FALSE;
 
+    /* validate tool text */
+    if (isW && !IS_INTRESOURCE(ti->lpszText) && !TOOLTIPS_IsCallbackString(ti->lpszText, isW) &&
+        IsBadStringPtrW(ti->lpszText, ~(ULONG_PTR)0))
+        return FALSE;
+
     if (infoPtr->uNumTools == 0) {
 	infoPtr->tools = Alloc (sizeof(TTTOOL_INFO));
 	toolPtr = infoPtr->tools;
-- 
2.8.0.rc3