Module: wine Branch: master Commit: 35d202fc0982da4e7ae3596414482318af118acb URL: https://source.winehq.org/git/wine.git/?a=commit;h=35d202fc0982da4e7ae359641...
Author: Alexandre Julliard julliard@winehq.org Date: Fri Apr 5 09:42:09 2019 +0200
kernel32: Validate handle before freeing a LOAD_LIBRARY_AS_DATAFILE module.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46019 Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/kernel32/module.c | 8 +++++++- dlls/kernel32/tests/module.c | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/dlls/kernel32/module.c b/dlls/kernel32/module.c index eb0471c..2f078a0 100644 --- a/dlls/kernel32/module.c +++ b/dlls/kernel32/module.c @@ -1102,6 +1102,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule)
if ((ULONG_PTR)hLibModule & 3) /* this is a datafile module */ { + void *ptr = (void *)((ULONG_PTR)hLibModule & ~3); + if (!RtlImageNtHeader( ptr )) + { + SetLastError( ERROR_BAD_EXE_FORMAT ); + return FALSE; + } if ((ULONG_PTR)hLibModule & 1) { struct exclusive_datafile *file; @@ -1119,7 +1125,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule) } LdrUnlockLoaderLock( 0, magic ); } - return UnmapViewOfFile( (void *)((ULONG_PTR)hLibModule & ~3) ); + return UnmapViewOfFile( ptr ); }
if ((nts = LdrUnloadDll( hLibModule )) == STATUS_SUCCESS) retv = TRUE; diff --git a/dlls/kernel32/tests/module.c b/dlls/kernel32/tests/module.c index 3e077f3..c059b98 100644 --- a/dlls/kernel32/tests/module.c +++ b/dlls/kernel32/tests/module.c @@ -430,6 +430,11 @@ static void testLoadLibraryEx(void) ok(hmodule != 0, "Expected valid module handle\n");
SetLastError(0xdeadbeef); + ret = FreeLibrary( (HMODULE)((ULONG_PTR)hmodule + 0x1230)); + ok(!ret, "Free succeeded on wrong handle\n"); + ok(GetLastError() == ERROR_BAD_EXE_FORMAT, "wrong error %u\n", GetLastError()); + + SetLastError(0xdeadbeef); ret = FreeLibrary(hmodule); ok(ret, "Expected to be able to free the module, failed with %d\n", GetLastError()); SetLastError(0xdeadbeef);