Re: patch for dlls/gdi32/dib.c: fixes crash

28 Jul 2011


      Am Mittwoch, 27. Juli 2011 schrieben Sie:
...
On Wed, Jul 27, 2011 at 6:44 PM, Wolfgang Walter wine@stwm.de wrote:
...

char src_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
BITMAPINFO *src_info = (BITMAPINFO *)src_bmibuf;
char dst_bmibuf[FIELD_OFFSET( BITMAPINFO, bmiColors[256] )];
BITMAPINFO *dst_info = (BITMAPINFO *)dst_bmibuf;

There's another instance of that in GetDIBits. Allocating 2KB+ (2 x
1064 bytes) of data on the stack is not very reasonable I guess.
Hmm, allocating the structure on the stack is not really the problem. The 
problem is that part if the stack gets overwritten.
Allocating the these structures on the heap hides the bug mostly.
I think that
bitmapinfo_from_user_bitmapinfo()
is the real culprit. I think colors gets to big (> 256) and therefore the size 
for the memcpy.
I just insert an test in bitmapinfo_from_user_bitmapinfo() if colors is larger 
then 256 and this is indeed the case.
Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: patch for dlls/gdi32/dib.c: fixes crash