https://bugs.winehq.org/show_bug.cgi?id=45104
Bug ID: 45104 Summary: OOB read in gdiplus Product: Wine Version: 3.7 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdiplus Assignee: wine-bugs@winehq.org Reporter: robert.gawlik@rub.de Distribution: ---
Original submitted report can be found here: https://bugs.launchpad.net/ubuntu/+source/wine/+bug/1764719
(*) Out-of-bounds read in dlls/gdiplus/metafile.c:2528 (last commit: dd2624a24fba400bf59b9396e496d16c43d399d9):
The parameters data, dataSize and recordType are completely user controlled and flow into a memcpy() call in line 2528. If the length of data is less than dataSize, then this results in an out-of-bounds read.
2461 GpStatus WINGDIPAPI GdipPlayMetafileRecord(GDIPCONST GpMetafile *metafile, 2462 EmfPlusRecordType recordType, UINT flags, UINT dataSize, GDIPCONST BYTE *data) 2463 { .... 2471 2472 if (recordType >= 1 && recordType <= 0x7a) 2473 { 2474 /* regular EMF record */ 2475 if (metafile->playback_dc) 2476 { 2477 switch (recordType) 2478 { .... 2520 default: 2521 { 2522 ENHMETARECORD *record = heap_alloc_zero(dataSize + 8); // <== dataSize is completely user controlled 2523 2524 if (record) 2525 { 2526 record->iType = recordType; 2527 record->nSize = dataSize + 8; 2528 memcpy(record->dParm, data, dataSize); // <== data is user controlled, memcpy performs OOB read 2529 2530 if(PlayEnhMetaFileRecord(metafile->playback_dc, metafile->handle_table, 2531 record, metafile->handle_count) == 0) // (record is user controlled => source of many vulnerabilities) 2532 ERR("PlayEnhMetaFileRecord failed\n");
If you need more information (EMF trigger file, etc.) let me know!