Alexandre Julliard : gdi32: Add a check for overflow in DIB dimensions. - wine-commits

11 Sep 2013

Module: wine
Branch: master
Commit: 69abf20fcdbd34cdc80af6a2edc0ea2d59b604b6
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=69abf20fcdbd34cdc80af6a2ed...
Author: Alexandre Julliard julliard@winehq.org
Date:   Wed Sep 11 17:30:46 2013 +0200
gdi32: Add a check for overflow in DIB dimensions.
---
dlls/gdi32/dib.c          |    5 +++++
 dlls/gdi32/tests/bitmap.c |   43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 0 deletions(-)

diff --git a/dlls/gdi32/dib.c b/dlls/gdi32/dib.c
index ad2a4dc..adf29ea 100644
--- a/dlls/gdi32/dib.c
+++ b/dlls/gdi32/dib.c
@@ -128,6 +128,11 @@ static BOOL is_valid_dib_format( const BITMAPINFOHEADER *info, BOOL allow_compre
if (!info->biPlanes) return FALSE;
+    /* check for size overflow */
+    if (!info->biBitCount) return FALSE;
+    if (UINT_MAX / info->biBitCount < info->biWidth) return FALSE;
+    if (UINT_MAX / get_dib_stride( info->biWidth, info->biBitCount ) < abs( info->biHeight )) return FALSE;
+
     switch (info->biBitCount)
     {
     case 1:
diff --git a/dlls/gdi32/tests/bitmap.c b/dlls/gdi32/tests/bitmap.c
index f72574a..6b52356 100644
--- a/dlls/gdi32/tests/bitmap.c
+++ b/dlls/gdi32/tests/bitmap.c
@@ -1207,6 +1207,49 @@ static void test_dib_formats(void)
     ret = GetDIBits(hdc, hbmp, 0, 0, NULL, bi, DIB_PAL_COLORS+2);
     ok( !ret, "GetDIBits succeeded with DIB_PAL_COLORS+2\n" );
+    bi->bmiHeader.biWidth = 0x4000;
+    bi->bmiHeader.biHeight = 0x4000;
+    bi->bmiHeader.biBitCount = 1;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib != NULL, "CreateDIBSection failed with large size\n" );
+    DeleteObject( hdib );
+
+    bi->bmiHeader.biWidth = 0x8001;
+    bi->bmiHeader.biHeight = 0x8001;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 1;
+    bi->bmiHeader.biHeight = 0x40000001;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 2;
+    bi->bmiHeader.biHeight = 0x40000001;
+    bi->bmiHeader.biBitCount = 16;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 0x40000001;
+    bi->bmiHeader.biHeight = 1;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 0x40000001;
+    bi->bmiHeader.biHeight = 4;
+    bi->bmiHeader.biBitCount = 8;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
     DeleteDC( memdc );
     DeleteObject( hbmp );
     ReleaseDC( 0, hdc );

    