[Bug 30827] New: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo()
http://bugs.winehq.org/show_bug.cgi?id=30827
Bug #: 30827 Summary: Uninitialized memory reference in create_icon_pixmaps() -> GetDIBits() -> bitmapinfoheader_from_user_bitmapinfo() Product: Wine Version: 1.5.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: gdi32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
While looking at bug 30826, I saw
Conditional jump or move depends on uninitialised value(s) at bitmapinfoheader_from_user_bitmapinfo (dib.c:177) by GetDIBits (dib.c:1210) by create_icon_pixmaps.isra.8 (window.c:883)
create_icon_pixmaps calls GetDIBits with bits=NULL and a mostly uninitialized info, but bitmapinfoheader_from_user_bitmapinfo() assumes that biCompression has already been initialized.
gdi32/dib.c: 149 static BOOL bitmapinfoheader_from_user_bitmapinfo( BITMAPINFOHEADER *dst, const BITMAPINFOHEADER *info ) 150 { ... 166 else if (info->biSize >= sizeof(BITMAPINFOHEADER)) /* assume BITMAPINFOHEADER */ 167 { 168 *dst = *info; 169 } ... 176 dst->biSize = sizeof(*dst); 177 if (dst->biCompression == BI_RGB || dst->biCompression == BI_BITFIELDS) 178 dst->biSizeImage = get_dib_image_size( (BITMAPINFO *)dst );
1187 INT WINAPI GetDIBits( 1188 HDC hdc, /* [in] Handle to device context */ 1189 HBITMAP hbitmap, /* [in] Handle to bitmap */ 1190 UINT startscan, /* [in] First scan line to set in dest bitmap */ 1191 UINT lines, /* [in] Number of scan lines to copy */ 1192 LPVOID bits, /* [out] Address of array for bitmap bits */ 1193 BITMAPINFO * info, /* [in,out] Address of structure with bitmap data */ 1194 UINT coloruse) /* [in] RGB or palette index */ 1195 { ... 1208 /* Since info may be a BITMAPCOREINFO or any of the larger BITMAPINFO structures, we'll use our 1209 own copy and transfer the colour info back at the end */ 1210 if (!bitmapinfoheader_from_user_bitmapinfo( &dst_info->bmiHeader, &info->bmiHeader )) return 0; .... 1212 if (bits && 1213 (dst_info->bmiHeader.biCompression == BI_JPEG || dst_info->bmiHeader.biCompression == BI_PNG))
winex11.drv/window.c: 868 static BOOL create_icon_pixmaps( HDC hdc, const ICONINFO *icon, struct x11drv_win_data *data ) 869 { 870 char buffer[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )]; 871 BITMAPINFO *info = (BITMAPINFO *)buffer; ... 881 info->bmiHeader.biSize = sizeof(BITMAPINFOHEADER); 882 info->bmiHeader.biBitCount = 0; 883 if (!(lines = GetDIBits( hdc, icon->hbmColor, 0, 0, NULL, info, DIB_RGB_COLORS ))) goto failed;
Note that GetDIBits is careful to avoid referencing biCompression itself when bits is NULL, but the function it calls doesn't know whether bits is NULL.
(bug 30266 is nearby but doesn't seem related?)
http://bugs.winehq.org/show_bug.cgi?id=30827
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.gigasoft.com/PE7 | |-Pro-Setup.exe
http://bugs.winehq.org/show_bug.cgi?id=30827
--- Comment #1 from Dan Kegel dank@kegel.com 2012-06-05 13:49:40 CDT --- Created attachment 40398 --> http://bugs.winehq.org/attachment.cgi?id=40398 Source, binary, and log for tiny demo program
Here's a 93 line program that triggers the same warning. The tarball contains C source, executable, and valgrind log.
http://bugs.winehq.org/show_bug.cgi?id=30827
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
--- Comment #2 from Alexandre Julliard julliard@winehq.org 2012-09-26 13:49:02 CDT --- *** Bug 31803 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=30827
Michal Suchanek hramrach@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hramrach@gmail.com
--- Comment #3 from Michal Suchanek hramrach@gmail.com 2012-11-20 10:10:12 CST --- Can reproduce running notepad.exe from wine 1.5.17:
==26498== Conditional jump or move depends on uninitialised value(s) ==26498== at 0x54B5B21: bitmapinfoheader_from_user_bitmapinfo (in /usr/lib/i386-linux-gnu/wine/gdi32.dll.so) ==26498== by 0x54B872B: GetDIBits (in /usr/lib/i386-linux-gnu/wine/gdi32.dll.so) ==26498== by 0x5FD7DFD: create_icon_pixmaps.isra.9 (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x5FD9851: fetch_icon_data (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x5FDC4C0: X11DRV_WindowPosChanged (in /usr/lib/i386-linux-gnu/wine/winex11.drv.so) ==26498== by 0x53E388D: set_window_pos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E47C0: USER_SetWindowPos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E3B16: SetWindowPos (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E6336: show_window (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x53E64AA: ShowWindow (in /usr/lib/i386-linux-gnu/wine/user32.dll.so) ==26498== by 0x4BFF769: WinMain (in /usr/lib/i386-linux-gnu/wine/notepad.exe.so) ==26498== by 0x4BF9C0D: main (in /usr/lib/i386-linux-gnu/wine/notepad.exe.so)
https://bugs.winehq.org/show_bug.cgi?id=30827
Jactry Zeng jactry92@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=30827
marc.bessieres@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |marc.bessieres@gmail.com
--- Comment #4 from marc.bessieres@gmail.com --- Hello,
I've submitted http://source.winehq.org/patches/data/108223 for this bug.
Cheers, Marc
https://bugs.winehq.org/show_bug.cgi?id=30827
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind
https://bugs.winehq.org/show_bug.cgi?id=30827
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man@post.com
--- Comment #5 from super_man@post.com --- The patch applies cleanly against 1.7.51 so the issue is still valid.
https://bugs.winehq.org/show_bug.cgi?id=30827
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |alexhenrie24@gmail.com
--- Comment #6 from Alexandre Julliard julliard@winehq.org --- *** Bug 39373 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=30827
--- Comment #7 from super_man@post.com --- still applying
patching file dlls/gdi32/dib.c Hunk #1 succeeded at 150 (offset 2 lines). Hunk #2 succeeded at 180 (offset 2 lines). Hunk #3 succeeded at 1236 (offset 14 lines). Hunk #4 succeeded at 1275 (offset 14 lines).
wine 1.9.6-git
https://bugs.winehq.org/show_bug.cgi?id=30827
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #8 from Fabian Maurer dark.shadow4@web.de --- *** Bug 48629 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=30827
--- Comment #9 from Fabian Maurer dark.shadow4@web.de --- Still valid as of wine-5.2.
-
wine-bugs@winehq.org -
WineHQ Bugzilla