mirror of
git://source.winehq.org/git/wine.git
synced 2024-10-31 10:13:56 +00:00
Added sanity checks on EMRCREATEDIBPATTERNBRUSHPT values.
Fix a memory leak.
This commit is contained in:
parent
15c519a15d
commit
36e72761d3
1 changed files with 21 additions and 3 deletions
|
@ -1148,11 +1148,27 @@ BOOL WINAPI PlayEnhMetaFileRecord(
|
||||||
case EMR_CREATEDIBPATTERNBRUSHPT:
|
case EMR_CREATEDIBPATTERNBRUSHPT:
|
||||||
{
|
{
|
||||||
PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr;
|
PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr;
|
||||||
|
LPVOID lpPackedStruct;
|
||||||
|
|
||||||
|
/* check that offsets and data are contained within the record */
|
||||||
|
if ( !( (lpCreate->cbBmi>=0) && (lpCreate->cbBits>=0) &&
|
||||||
|
(lpCreate->offBmi>=0) && (lpCreate->offBits>=0) &&
|
||||||
|
((lpCreate->offBmi +lpCreate->cbBmi ) <= mr->nSize) &&
|
||||||
|
((lpCreate->offBits+lpCreate->cbBits) <= mr->nSize) ) )
|
||||||
|
{
|
||||||
|
ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
/* This is a BITMAPINFO struct followed directly by bitmap bits */
|
/* This is a BITMAPINFO struct followed directly by bitmap bits */
|
||||||
LPVOID lpPackedStruct = HeapAlloc( GetProcessHeap(),
|
lpPackedStruct = HeapAlloc( GetProcessHeap(), 0,
|
||||||
0,
|
lpCreate->cbBmi + lpCreate->cbBits );
|
||||||
lpCreate->cbBmi + lpCreate->cbBits );
|
if(!lpPackedStruct)
|
||||||
|
{
|
||||||
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
/* Now pack this structure */
|
/* Now pack this structure */
|
||||||
memcpy( lpPackedStruct,
|
memcpy( lpPackedStruct,
|
||||||
((BYTE*)lpCreate) + lpCreate->offBmi,
|
((BYTE*)lpCreate) + lpCreate->offBmi,
|
||||||
|
@ -1165,6 +1181,8 @@ BOOL WINAPI PlayEnhMetaFileRecord(
|
||||||
CreateDIBPatternBrushPt( lpPackedStruct,
|
CreateDIBPatternBrushPt( lpPackedStruct,
|
||||||
(UINT)lpCreate->iUsage );
|
(UINT)lpCreate->iUsage );
|
||||||
|
|
||||||
|
HeapFree(GetProcessHeap(), 0, lpPackedStruct);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue