https://bugs.winehq.org/show_bug.cgi?id=45105
Bug ID: 45105 Summary: heap-buffer overflow in gdi32 Product: Wine Version: 3.7 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdi32 Assignee: wine-bugs@winehq.org Reporter: robert.gawlik@rub.de Distribution: ---
Created attachment 61284 --> https://bugs.winehq.org/attachment.cgi?id=61284 affected source code
Original submitted report can be found here: https://bugs.launchpad.net/ubuntu/+source/wine/+bug/1764719
The attachment also contains more details. If more info is needed, please let me know!
https://bugs.winehq.org/show_bug.cgi?id=45105
Jens Reyer jre.winesim@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jre.winesim@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=45105
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=45105
Vincent Povirk madewokherd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |madewokherd@gmail.com
--- Comment #1 from Vincent Povirk madewokherd@gmail.com --- Lack of bounds checking is a more general problem in PlayEnhMetaFileRecord. We don't check that the record itself is large enough for all its fields, or that other variable-length fields fit.
I think it might be better to do the bounds checking in EnumEnhMetaFile. It's unreasonable to expect individual applications to do exhaustive bounds checking in their own enum callbacks.
https://bugs.winehq.org/show_bug.cgi?id=45105
Marcus Meissner marcus@jet.franken.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |marcus@jet.franken.de
https://bugs.winehq.org/show_bug.cgi?id=45105
Marcus Meissner marcus@jet.franken.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|heap-buffer overflow in |heap-buffer overflow in |gdi32 |gdi32 (CVE-2018-12932)
--- Comment #2 from Marcus Meissner marcus@jet.franken.de --- Vincent committed at least these two patches:
https://source.winehq.org/git/wine.git/commit/b6da3547d8990c3c3affc3a5865aef... https://source.winehq.org/git/wine.git/commit/8d2676fd14f130f9e8f06744743423...
https://bugs.winehq.org/show_bug.cgi?id=45105
Esme Povirk madewokherd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Fixed by SHA1| |1f04c5c7dec21efd8771e1f4c32 | |e24a18ce9847c Resolution|--- |FIXED
--- Comment #3 from Esme Povirk madewokherd@gmail.com --- Tested all sample files from the launchpad bug and got no crashes (previously, some of them logged access violations in unixlib code), so I think this is fixed.
https://bugs.winehq.org/show_bug.cgi?id=45105
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 9.16.