Uwe Bonnes wrote:
"C" == C Daniel Mojoli B cdmojoli@idea.com.py writes:
C> Add minimal parameter validation to function C> CURSORICON_SimulateLoadingFromResourceW(...). We check that the icon Providing a test case for such special behaviour is a good idea...
I created this patch as a result of consulting I performed at a customer's site. I no longer have access to the winedbg info I had there, so I can't provide a test. The situation is very simple to describe. Essentially this is what happens:
1) VFP6 runtime encounters a command that requires loading a resource, e.g. MODIFY SCREEN to put some background image.
2) The VFP6 runtime extracts the resource from the APP or EXE and places it in a temp file, e.g. 12345678.TMP.
3) Since the VFP6 runtime cannot use file extension information as it would if you were DOing SOME.PRG, it decides to try different ways of loading it. At some point before hitting the right loading function it tests whether the resource is a cursor icon by calling LoadImageW(type=IMAGE_CURSOR). This is IMHO, a terrible way to program, depending on failure semantics.
4) Now we are in Wine turf for the first time and LoadImageW -> CURSORICON_Load -> CURSORICON_SimulateLoadingFromResourceW.
5) CURSORICON_SimulateLoadingFromResourceW maps the file to memory (cursoricon.c:483), then tests if the file is a RIFF file (cursoricon.c:488).
6) Execution continues until L507, where it is assumed the mapped file is of icon structure. Here Wine tests if the number of icon entries != 0, but our illegal file (JPEG, GIF, etc) hardly has a zero byte value at all, so we pass the test.
7) We hit L513 and cause an exception when executing the following expression: bits->idEntries[i]. The problem is that we are looping with our index bound to the garbage number of icon entries! That garbage is almost assured to be too large and we loop past the assigned memory.
8) Exception!
I created the patch using exactly the same technique L488 uses to test for the RIFF case. I simply further test if that magic corresponds to icon file magic, right between steps 5 and 6, before any other file data is used.
Even if I hadn't encountered a problem with VFP6, I consider the patch should be applied on the grounds it simply checks the magic of file to conform to what is should be.