ole32: Zero STGMEDIUM before calling IDataObject::GetData.
Thomas Faber
thomas.faber at reactos.org
Sat Feb 25 12:30:26 CST 2017
Windows initializes this structure to protect against broken
applications.
E.g. WinRAR fails to initialize pUnkForRelease, which can lead to
dereferencing an invalid pointer.
-------------- next part --------------
From dbf3abb0df73ef952d21ccfae4b14ad88600d485 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber at reactos.org>
Date: Thu, 23 Feb 2017 17:55:00 +0100
Subject: ole32: Zero STGMEDIUM before calling IDataObject::GetData.
Signed-off-by: Thomas Faber <thomas.faber at reactos.org>
---
dlls/ole32/clipboard.c | 10 ++++++++--
dlls/ole32/tests/clipboard.c | 4 ++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/dlls/ole32/clipboard.c b/dlls/ole32/clipboard.c
index faec553c03b5..d48ea792d623 100644
--- a/dlls/ole32/clipboard.c
+++ b/dlls/ole32/clipboard.c
@@ -741,7 +741,7 @@ static HRESULT get_data_from_storage(IDataObject *data, FORMATETC *fmt, HGLOBAL
hr = IDataObject_GetDataHere(data, &stg_fmt, &med);
if(FAILED(hr))
{
- med.u.pstg = NULL;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &stg_fmt, &med);
if(FAILED(hr)) goto end;
@@ -789,7 +789,7 @@ static HRESULT get_data_from_stream(IDataObject *data, FORMATETC *fmt, HGLOBAL *
LARGE_INTEGER offs;
ULARGE_INTEGER pos;
- med.u.pstm = NULL;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &stm_fmt, &med);
if(FAILED(hr)) goto error;
@@ -826,6 +826,7 @@ static HRESULT get_data_from_global(IDataObject *data, FORMATETC *fmt, HGLOBAL *
mem_fmt = *fmt;
mem_fmt.tymed = TYMED_HGLOBAL;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &mem_fmt, &med);
if(FAILED(hr)) return hr;
@@ -853,6 +854,7 @@ static HRESULT get_data_from_enhmetafile(IDataObject *data, FORMATETC *fmt, HGLO
mem_fmt = *fmt;
mem_fmt.tymed = TYMED_ENHMF;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &mem_fmt, &med);
if(FAILED(hr)) return hr;
@@ -880,6 +882,7 @@ static HRESULT get_data_from_metafilepict(IDataObject *data, FORMATETC *fmt, HGL
mem_fmt = *fmt;
mem_fmt.tymed = TYMED_MFPICT;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &mem_fmt, &med);
if(FAILED(hr)) return hr;
@@ -909,6 +912,7 @@ static HRESULT get_data_from_bitmap(IDataObject *data, FORMATETC *fmt, HBITMAP *
mem_fmt = *fmt;
mem_fmt.tymed = TYMED_GDI;
+ memset(&med, 0, sizeof(med));
hr = IDataObject_GetData(data, &mem_fmt, &med);
if(FAILED(hr)) return hr;
@@ -1394,6 +1398,8 @@ static HRESULT WINAPI snapshot_GetData(IDataObject *iface, FORMATETC *fmt,
if ( !fmt || !med ) return E_INVALIDARG;
+ memset(med, 0, sizeof(*med));
+
if ( !OpenClipboard(NULL)) return CLIPBRD_E_CANT_OPEN;
if(!This->data)
diff --git a/dlls/ole32/tests/clipboard.c b/dlls/ole32/tests/clipboard.c
index a30796cff5d5..1c8923e6080d 100644
--- a/dlls/ole32/tests/clipboard.c
+++ b/dlls/ole32/tests/clipboard.c
@@ -246,6 +246,10 @@ static HRESULT WINAPI DataObjectImpl_GetData(IDataObject* iface, FORMATETC *pfor
DataObjectImpl_GetData_calls++;
+ ok(pmedium->tymed == 0, "pmedium->tymed = %u\n", pmedium->tymed);
+ ok(U(*pmedium).hGlobal == NULL, "pmedium->hGlobal = %p\n", U(*pmedium).hGlobal);
+ ok(pmedium->pUnkForRelease == NULL, "pmedium->pUnkForRelease = %p\n", pmedium->pUnkForRelease);
+
if(pformatetc->lindex != -1)
return DV_E_FORMATETC;
--
2.11.1
More information about the wine-patches
mailing list