Added sanity checks on EMRCREATEDIBPATTERNBRUSHPT values.

Fix a memory leak.
This commit is contained in:
Mike McCormack 2002-08-17 18:30:48 +00:00 committed by Alexandre Julliard
parent 15c519a15d
commit 36e72761d3

View file

@ -1148,11 +1148,27 @@ BOOL WINAPI PlayEnhMetaFileRecord(
case EMR_CREATEDIBPATTERNBRUSHPT: case EMR_CREATEDIBPATTERNBRUSHPT:
{ {
PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr; PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr;
LPVOID lpPackedStruct;
/* check that offsets and data are contained within the record */
if ( !( (lpCreate->cbBmi>=0) && (lpCreate->cbBits>=0) &&
(lpCreate->offBmi>=0) && (lpCreate->offBits>=0) &&
((lpCreate->offBmi +lpCreate->cbBmi ) <= mr->nSize) &&
((lpCreate->offBits+lpCreate->cbBits) <= mr->nSize) ) )
{
ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n");
break;
}
/* This is a BITMAPINFO struct followed directly by bitmap bits */ /* This is a BITMAPINFO struct followed directly by bitmap bits */
LPVOID lpPackedStruct = HeapAlloc( GetProcessHeap(), lpPackedStruct = HeapAlloc( GetProcessHeap(), 0,
0, lpCreate->cbBmi + lpCreate->cbBits );
lpCreate->cbBmi + lpCreate->cbBits ); if(!lpPackedStruct)
{
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
break;
}
/* Now pack this structure */ /* Now pack this structure */
memcpy( lpPackedStruct, memcpy( lpPackedStruct,
((BYTE*)lpCreate) + lpCreate->offBmi, ((BYTE*)lpCreate) + lpCreate->offBmi,
@ -1165,6 +1181,8 @@ BOOL WINAPI PlayEnhMetaFileRecord(
CreateDIBPatternBrushPt( lpPackedStruct, CreateDIBPatternBrushPt( lpPackedStruct,
(UINT)lpCreate->iUsage ); (UINT)lpCreate->iUsage );
HeapFree(GetProcessHeap(), 0, lpPackedStruct);
break; break;
} }