[Bug 30827] New: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo()
http://bugs.winehq.org/show_bug.cgi?id=30827 Bug #: 30827 Summary: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo() Product: Wine Version: 1.5.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: dank(a)kegel.com Classification: Unclassified While looking at bug 30826, I saw Conditional jump or move depends on uninitialised value(s) at bitmapinfoheader_from_user_bitmapinfo (dib.c:177) by GetDIBits (dib.c:1210) by create_icon_pixmaps.isra.8 (window.c:883) create_icon_pixmaps calls GetDIBits with bits=NULL and a mostly uninitialized info, but bitmapinfoheader_from_user_bitmapinfo() assumes that biCompression has already been initialized. gdi32/dib.c: 149 static BOOL bitmapinfoheader_from_user_bitmapinfo( BITMAPINFOHEADER *dst, const BITMAPINFOHEADER *info ) 150 { ... 166 else if (info->biSize >= sizeof(BITMAPINFOHEADER)) /* assume BITMAPINFOHEADER */ 167 { 168 *dst = *info; 169 } ... 176 dst->biSize = sizeof(*dst); 177 if (dst->biCompression == BI_RGB || dst->biCompression == BI_BITFIELDS) 178 dst->biSizeImage = get_dib_image_size( (BITMAPINFO *)dst ); 1187 INT WINAPI GetDIBits( 1188 HDC hdc, /* [in] Handle to device context */ 1189 HBITMAP hbitmap, /* [in] Handle to bitmap */ 1190 UINT startscan, /* [in] First scan line to set in dest bitmap */ 1191 UINT lines, /* [in] Number of scan lines to copy */ 1192 LPVOID bits, /* [out] Address of array for bitmap bits */ 1193 BITMAPINFO * info, /* [in,out] Address of structure with bitmap data */ 1194 UINT coloruse) /* [in] RGB or palette index */ 1195 { ... 1208 /* Since info may be a BITMAPCOREINFO or any of the larger BITMAPINFO structures, we'll use our 1209 own copy and transfer the colour info back at the end */ 1210 if (!bitmapinfoheader_from_user_bitmapinfo( &dst_info->bmiHeader, &info->bmiHeader )) return 0; .... 1212 if (bits && 1213 (dst_info->bmiHeader.biCompression == BI_JPEG || dst_info->bmiHeader.biCompression == BI_PNG)) winex11.drv/window.c: 868 static BOOL create_icon_pixmaps( HDC hdc, const ICONINFO *icon, struct x11drv_win_data *data ) 869 { 870 char buffer[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )]; 871 BITMAPINFO *info = (BITMAPINFO *)buffer; ... 881 info->bmiHeader.biSize = sizeof(BITMAPINFOHEADER); 882 info->bmiHeader.biBitCount = 0; 883 if (!(lines = GetDIBits( hdc, icon->hbmColor, 0, 0, NULL, info, DIB_RGB_COLORS ))) goto failed; Note that GetDIBits is careful to avoid referencing biCompression itself when bits is NULL, but the function it calls doesn't know whether bits is NULL. (bug 30266 is nearby but doesn't seem related?) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=30827 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.gigasoft.com/PE7 | |-Pro-Setup.exe -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=30827 --- Comment #1 from Dan Kegel <dank(a)kegel.com> 2012-06-05 13:49:40 CDT --- Created attachment 40398 --> http://bugs.winehq.org/attachment.cgi?id=40398 Source, binary, and log for tiny demo program Here's a 93 line program that triggers the same warning. The tarball contains C source, executable, and valgrind log. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=30827 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish(a)gmail.com --- Comment #2 from Alexandre Julliard <julliard(a)winehq.org> 2012-09-26 13:49:02 CDT --- *** Bug 31803 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=30827 Michal Suchanek <hramrach(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hramrach(a)gmail.com --- Comment #3 from Michal Suchanek <hramrach(a)gmail.com> 2012-11-20 10:10:12 CST --- Can reproduce running notepad.exe from wine 1.5.17: ==26498== Conditional jump or move depends on uninitialised value(s) ==26498== at 0x54B5B21: bitmapinfoheader_from_user_bitmapinfo (in /usr/lib/i386-linux-gnu/wine/gdi32.dll.so) ==26498== by 0x54B872B: GetDIBits (in /usr/lib/i386-linux-gnu/wine/gdi32.dll.so) ==26498== by 0x5FD7DFD: create_icon_pixmaps.isra.9 (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x5FD9851: fetch_icon_data (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x5FDC4C0: X11DRV_WindowPosChanged (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x53E388D: set_window_pos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E47C0: USER_SetWindowPos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E3B16: SetWindowPos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E6336: show_window (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E64AA: ShowWindow (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x4BFF769: WinMain (in /usr/lib/i386-linux-gnu/wine/notepad.exe.so) ==26498== by 0x4BF9C0D: main (in /usr/lib/i386-linux-gnu/wine/notepad.exe.so) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 Jactry Zeng <jactry92(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 marc.bessieres(a)gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |marc.bessieres(a)gmail.com --- Comment #4 from marc.bessieres(a)gmail.com --- Hello, I've submitted http://source.winehq.org/patches/data/108223 for this bug. Cheers, Marc -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 super_man(a)post.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man(a)post.com --- Comment #5 from super_man(a)post.com --- The patch applies cleanly against 1.7.51 so the issue is still valid. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexhenrie24(a)gmail.com --- Comment #6 from Alexandre Julliard <julliard(a)winehq.org> --- *** Bug 39373 has been marked as a duplicate of this bug. *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 --- Comment #7 from super_man(a)post.com --- still applying patching file dlls/gdi32/dib.c Hunk #1 succeeded at 150 (offset 2 lines). Hunk #2 succeeded at 180 (offset 2 lines). Hunk #3 succeeded at 1236 (offset 14 lines). Hunk #4 succeeded at 1275 (offset 14 lines). wine 1.9.6-git -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 Fabian Maurer <dark.shadow4(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4(a)web.de --- Comment #8 from Fabian Maurer <dark.shadow4(a)web.de> --- *** Bug 48629 has been marked as a duplicate of this bug. *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=30827 --- Comment #9 from Fabian Maurer <dark.shadow4(a)web.de> --- Still valid as of wine-5.2. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla