From 36e72761d3382cc78e2f55370c0cea5f6cec6516 Mon Sep 17 00:00:00 2001 From: Mike McCormack Date: Sat, 17 Aug 2002 18:30:48 +0000 Subject: [PATCH] Added sanity checks on EMRCREATEDIBPATTERNBRUSHPT values. Fix a memory leak. --- objects/enhmetafile.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/objects/enhmetafile.c b/objects/enhmetafile.c index fcf52e564ea..9a99c9d1679 100644 --- a/objects/enhmetafile.c +++ b/objects/enhmetafile.c @@ -1148,11 +1148,27 @@ BOOL WINAPI PlayEnhMetaFileRecord( case EMR_CREATEDIBPATTERNBRUSHPT: { PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr; + LPVOID lpPackedStruct; + + /* check that offsets and data are contained within the record */ + if ( !( (lpCreate->cbBmi>=0) && (lpCreate->cbBits>=0) && + (lpCreate->offBmi>=0) && (lpCreate->offBits>=0) && + ((lpCreate->offBmi +lpCreate->cbBmi ) <= mr->nSize) && + ((lpCreate->offBits+lpCreate->cbBits) <= mr->nSize) ) ) + { + ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n"); + break; + } /* This is a BITMAPINFO struct followed directly by bitmap bits */ - LPVOID lpPackedStruct = HeapAlloc( GetProcessHeap(), - 0, - lpCreate->cbBmi + lpCreate->cbBits ); + lpPackedStruct = HeapAlloc( GetProcessHeap(), 0, + lpCreate->cbBmi + lpCreate->cbBits ); + if(!lpPackedStruct) + { + SetLastError(ERROR_NOT_ENOUGH_MEMORY); + break; + } + /* Now pack this structure */ memcpy( lpPackedStruct, ((BYTE*)lpCreate) + lpCreate->offBmi, @@ -1165,6 +1181,8 @@ BOOL WINAPI PlayEnhMetaFileRecord( CreateDIBPatternBrushPt( lpPackedStruct, (UINT)lpCreate->iUsage ); + HeapFree(GetProcessHeap(), 0, lpPackedStruct); + break; }