[Bug 25691] New: ImageList_Duplicate doesn't correctly duplicate full length of has_alpha byte array

4 Jan 2011


      http://bugs.winehq.org/show_bug.cgi?id=25691
Summary: ImageList_Duplicate doesn't correctly duplicate full
                    length of has_alpha byte array
           Product: Wine
           Version: unspecified
          Platform: x86
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: comctl32
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: rmcdonald@bittorrent.com
In the case where an image list is created, then expanded enough so that the
byte array pointed at by the has_alpha member has been reallocated to a larger
size (and cMaxImage is larger), if that image list is duplicated, the duplicate
will have a has_alpha member that is shorter than the expected length.
Where ImageList_Create assigns:
himl->cMaxImage = cInitial + 1;
and then ensures the length of the has_alpha byte array is at least cMaxImage
bytes long,
ImageList_Duplicate assigns to the duplicate:
himlDst->cMaxImage = himlSrc->cMaxImage;
which throws off the internal checks that assume the length of the has_alpha
member is at least as long as cMaxImage says.  This results in heap corruption
when the following line in add_with_alpha() is executed under the right
conditions:
himl->has_alpha[pos + n] = 1;
I worked around the bug by making the following changes to
dlls/comctl32/imagelist.c:
*** 1519,1524 ****
--- 1519,1537 ----
                      himlSrc->hdcMask, 0, 0, SRCCOPY);
himlDst->cCurImage = himlSrc->cCurImage;
+         if (himlSrc->has_alpha && himlDst->has_alpha
+             && himlSrc->cMaxImage > himlDst->cMaxImage)
+         {
+             /* ImageList_Create didn't create a long enough new_alpha */
+             char *new_alpha = HeapReAlloc( GetProcessHeap(),
HEAP_ZERO_MEMORY,
+                 himlDst->has_alpha, himlSrc->cMaxImage );
+             if (new_alpha) himlDst->has_alpha = new_alpha;
+             else
+             {
+                 HeapFree( GetProcessHeap(), 0, himlDst->has_alpha );
+                 himlDst->has_alpha = NULL;
+             }
+         }
      himlDst->cMaxImage = himlSrc->cMaxImage;
          if (himlSrc->has_alpha && himlDst->has_alpha)
              memcpy( himlDst->has_alpha, himlSrc->has_alpha,
himlDst->cCurImage );
I built Wine 1.2.2 from source (./configure; make; sudo make install), and then
applied the changes the same way and retested.
Looks like the 1.3 and development lines have the same issue.
I don't know if this patch is efficient enough for me to submit it (nicer if
ImageList_Create would accept cMaxImage as a parameter so it could create the
byte array with the correct length to save an allocation, but that's a bigger
change).
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 25691] New: ImageList_Duplicate doesn't correctly duplicate full length of has_alpha byte array