Module: wine Branch: stable Commit: d82598011ab74422a45922d27430f90f3d7e756d URL: https://source.winehq.org/git/wine.git/?a=commit;h=d82598011ab74422a45922d27...
Author: Bernhard Übelacker bernhardu@mailbox.org Date: Sun Jan 28 19:15:44 2018 +0100
user32: Validate DIB offset in CURSORICON_GetFileEntry.
Signed-off-by: Bernhard Übelacker bernhardu@mailbox.org Signed-off-by: Alexandre Julliard julliard@winehq.org (cherry picked from commit 9256017adf1b32564d96a745d2ba79c09f0cb02a) Signed-off-by: Michael Stefaniuc mstefani@winehq.org
---
dlls/user32/cursoricon.c | 1 + dlls/user32/tests/cursoricon.c | 8 ++++++++ 2 files changed, 9 insertions(+)
diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c index 1fbec2a..c76d323 100644 --- a/dlls/user32/cursoricon.c +++ b/dlls/user32/cursoricon.c @@ -673,6 +673,7 @@ static BOOL CURSORICON_GetFileEntry( LPCVOID dir, DWORD size, int n, if ((const char *)&filedir->idEntries[n + 1] - (const char *)dir > size) return FALSE; entry = &filedir->idEntries[n]; + if (entry->dwDIBOffset > size - sizeof(info->biSize)) return FALSE; info = (const BITMAPINFOHEADER *)((const char *)dir + entry->dwDIBOffset); if (info->biSize != sizeof(BITMAPCOREHEADER)) { diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c index 211376b..5099c08 100644 --- a/dlls/user32/tests/cursoricon.c +++ b/dlls/user32/tests/cursoricon.c @@ -1031,6 +1031,12 @@ static const unsigned char gif4pixel[42] = { 0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b };
+/* An invalid cursor with an invalid dwDIBOffset */ +static const unsigned char invalid_dwDIBOffset[] = { + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00 +}; + static const DWORD biSize_tests[] = { 0, sizeof(BITMAPCOREHEADER) - 1, @@ -1320,6 +1326,8 @@ static void test_LoadImage(void) test_LoadImageFile("BMP (broken biSize)", bmpimage, sizeof(bmpimage), "bmp", 0); } bitmap_header->biSize = sizeof(BITMAPINFOHEADER); + + test_LoadImageFile("Cursor (invalid dwDIBOffset)", invalid_dwDIBOffset, sizeof(invalid_dwDIBOffset), "cur", 0); }
#undef ARRAY_SIZE