Module: wine Branch: master Commit: 69abf20fcdbd34cdc80af6a2edc0ea2d59b604b6 URL: http://source.winehq.org/git/wine.git/?a=commit;h=69abf20fcdbd34cdc80af6a2ed... Author: Alexandre Julliard <julliard(a)winehq.org> Date: Wed Sep 11 17:30:46 2013 +0200 gdi32: Add a check for overflow in DIB dimensions. --- dlls/gdi32/dib.c | 5 +++++ dlls/gdi32/tests/bitmap.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 0 deletions(-) diff --git a/dlls/gdi32/dib.c b/dlls/gdi32/dib.c index ad2a4dc..adf29ea 100644 --- a/dlls/gdi32/dib.c +++ b/dlls/gdi32/dib.c @@ -128,6 +128,11 @@ static BOOL is_valid_dib_format( const BITMAPINFOHEADER *info, BOOL allow_compre if (!info->biPlanes) return FALSE; + /* check for size overflow */ + if (!info->biBitCount) return FALSE; + if (UINT_MAX / info->biBitCount < info->biWidth) return FALSE; + if (UINT_MAX / get_dib_stride( info->biWidth, info->biBitCount ) < abs( info->biHeight )) return FALSE; + switch (info->biBitCount) { case 1: diff --git a/dlls/gdi32/tests/bitmap.c b/dlls/gdi32/tests/bitmap.c index f72574a..6b52356 100644 --- a/dlls/gdi32/tests/bitmap.c +++ b/dlls/gdi32/tests/bitmap.c @@ -1207,6 +1207,49 @@ static void test_dib_formats(void) ret = GetDIBits(hdc, hbmp, 0, 0, NULL, bi, DIB_PAL_COLORS+2); ok( !ret, "GetDIBits succeeded with DIB_PAL_COLORS+2\n" ); + bi->bmiHeader.biWidth = 0x4000; + bi->bmiHeader.biHeight = 0x4000; + bi->bmiHeader.biBitCount = 1; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib != NULL, "CreateDIBSection failed with large size\n" ); + DeleteObject( hdib ); + + bi->bmiHeader.biWidth = 0x8001; + bi->bmiHeader.biHeight = 0x8001; + bi->bmiHeader.biBitCount = 32; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" ); + + bi->bmiHeader.biWidth = 1; + bi->bmiHeader.biHeight = 0x40000001; + bi->bmiHeader.biBitCount = 32; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" ); + + bi->bmiHeader.biWidth = 2; + bi->bmiHeader.biHeight = 0x40000001; + bi->bmiHeader.biBitCount = 16; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" ); + + bi->bmiHeader.biWidth = 0x40000001; + bi->bmiHeader.biHeight = 1; + bi->bmiHeader.biBitCount = 32; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" ); + + bi->bmiHeader.biWidth = 0x40000001; + bi->bmiHeader.biHeight = 4; + bi->bmiHeader.biBitCount = 8; + bi->bmiHeader.biCompression = BI_RGB; + hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0); + ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" ); + DeleteDC( memdc ); DeleteObject( hbmp ); ReleaseDC( 0, hdc );