Eberhard Beilharz : comctl32/imagelist: Fix crash with large number of images. - wine-commits

12 Dec 2018

Module: wine
Branch: master
Commit: f760079a717042d436a693df59fa1d4416a0e352
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=f760079a717042d436a693df5...
Author: Eberhard Beilharz eb1@sil.org
Date:   Tue Dec 11 21:00:23 2018 +0100
comctl32/imagelist: Fix crash with large number of images.
Fix a crash that occurred when reading a imagelist with a large number
of images. In the particular case we read a cMaxImage value of 1032,
but allocated only 40 or so images. This lead to memory corruption in
ImageList_Read.  This change allows to run TntConnect.
Signed-off-by: Eberhard Beilharz eb1@sil.org
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/comctl32/imagelist.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/comctl32/imagelist.c b/dlls/comctl32/imagelist.c
index a08d607..3e30673 100644
--- a/dlls/comctl32/imagelist.c
+++ b/dlls/comctl32/imagelist.c
@@ -2273,7 +2273,7 @@ HIMAGELIST WINAPI ImageList_Read(IStream *pstm)
     TRACE("cx %u, cy %u, flags 0x%04x, cCurImage %u, cMaxImage %u\n",
           ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cCurImage, ilHead.cMaxImage);
-    himl = ImageList_Create(ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cCurImage, ilHead.cMaxImage);
+    himl = ImageList_Create(ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cMaxImage, ilHead.cGrow);
     if (!himl)
    return NULL;

    