Hi,

I have been working with Bernhard Loos (jhgf) for the past couple days to track down the source of http://bugs.winehq.org/show_bug.cgi?id=28235, and today I am happy to report that I have finally located it!.

Attached are two files: olefail.cpp - the source olefail.txt - actually olefail.exe renamed to evade mailing list filters :)

This is a tiny demo app, most of which is copied right out of MSDN, which showcases the problem. To break it down:

*On Windows, OLEPictureImpl_Load will read exactly 2 bytes for the header to attempt to determine the length in the case that the stat() member function of the stream interface is broken. This is acknowledged in a large block comment at olepicture.c:1339. Wine then ignores this fact and reads 8 bytes. This is just the tip of the bug, however! *The major bug is that after this, at olepicture.c:1412, wine decides to attempt to read a buffer of unknown size and content UNTIL THE END OF THE BUFFER. While this may work for reading a string, when reading a binary buffer you MUST know the size. I'm sure we all know this :) *Unless the stream reader interface is fairly smart at this point and returns 0 bytes read (which seems unlikely if the stat() mechanism is broken), wine is guaranteed to crash.

The solution here is to remove the broken "try until you die" method of attempting to read more than 2 bytes of the unknown buffer. Instead, simply return an error as Windows does and move on.