http://bugs.winehq.org/show_bug.cgi?id=30827
Bug #: 30827 Summary: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo() Product: Wine Version: 1.5.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
While looking at bug 30826, I saw
Conditional jump or move depends on uninitialised value(s) at bitmapinfoheader_from_user_bitmapinfo (dib.c:177) by GetDIBits (dib.c:1210) by create_icon_pixmaps.isra.8 (window.c:883)
create_icon_pixmaps calls GetDIBits with bits=NULL and a mostly uninitialized info, but bitmapinfoheader_from_user_bitmapinfo() assumes that biCompression has already been initialized.
gdi32/dib.c: 149 static BOOL bitmapinfoheader_from_user_bitmapinfo( BITMAPINFOHEADER *dst, const BITMAPINFOHEADER *info ) 150 { ... 166 else if (info->biSize >= sizeof(BITMAPINFOHEADER)) /* assume BITMAPINFOHEADER */ 167 { 168 *dst = *info; 169 } ... 176 dst->biSize = sizeof(*dst); 177 if (dst->biCompression == BI_RGB || dst->biCompression == BI_BITFIELDS) 178 dst->biSizeImage = get_dib_image_size( (BITMAPINFO *)dst );
1187 INT WINAPI GetDIBits( 1188 HDC hdc, /* [in] Handle to device context */ 1189 HBITMAP hbitmap, /* [in] Handle to bitmap */ 1190 UINT startscan, /* [in] First scan line to set in dest bitmap */ 1191 UINT lines, /* [in] Number of scan lines to copy */ 1192 LPVOID bits, /* [out] Address of array for bitmap bits */ 1193 BITMAPINFO * info, /* [in,out] Address of structure with bitmap data */ 1194 UINT coloruse) /* [in] RGB or palette index */ 1195 { ... 1208 /* Since info may be a BITMAPCOREINFO or any of the larger BITMAPINFO structures, we'll use our 1209 own copy and transfer the colour info back at the end */ 1210 if (!bitmapinfoheader_from_user_bitmapinfo( &dst_info->bmiHeader, &info->bmiHeader )) return 0; .... 1212 if (bits && 1213 (dst_info->bmiHeader.biCompression == BI_JPEG || dst_info->bmiHeader.biCompression == BI_PNG))
winex11.drv/window.c: 868 static BOOL create_icon_pixmaps( HDC hdc, const ICONINFO *icon, struct x11drv_win_data *data ) 869 { 870 char buffer[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )]; 871 BITMAPINFO *info = (BITMAPINFO *)buffer; ... 881 info->bmiHeader.biSize = sizeof(BITMAPINFOHEADER); 882 info->bmiHeader.biBitCount = 0; 883 if (!(lines = GetDIBits( hdc, icon->hbmColor, 0, 0, NULL, info, DIB_RGB_COLORS ))) goto failed;
Note that GetDIBits is careful to avoid referencing biCompression itself when bits is NULL, but the function it calls doesn't know whether bits is NULL.
(bug 30266 is nearby but doesn't seem related?)