From a34c23498f3ec434ddbb88ecb9797f4c744ed27e Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 14 Feb 2005 11:08:22 +0000 Subject: [PATCH] Check for overflows with ClrUsed. --- dlls/gdi/dib.c | 1 + dlls/oleaut32/olepicture.c | 13 ++++++++++--- dlls/wineps/ps.c | 1 + windows/cursoricon.c | 3 +++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/dlls/gdi/dib.c b/dlls/gdi/dib.c index 5edd5a39e29..d394a1be0d1 100644 --- a/dlls/gdi/dib.c +++ b/dlls/gdi/dib.c @@ -133,6 +133,7 @@ int DIB_BitmapInfoSize( const BITMAPINFO * info, WORD coloruse ) else /* assume BITMAPINFOHEADER */ { colors = info->bmiHeader.biClrUsed; + if (colors > 256) colors = 256; if (!colors && (info->bmiHeader.biBitCount <= 8)) colors = 1 << info->bmiHeader.biBitCount; return sizeof(BITMAPINFOHEADER) + colors * diff --git a/dlls/oleaut32/olepicture.c b/dlls/oleaut32/olepicture.c index de74c36a742..639cd1813ca 100644 --- a/dlls/oleaut32/olepicture.c +++ b/dlls/oleaut32/olepicture.c @@ -1514,9 +1514,15 @@ static int serializeBMP(HBITMAP hBitmap, void ** ppBuffer, unsigned int * pLengt GetDIBits(hDC, hBitmap, 0, pInfoBitmap->bmiHeader.biHeight, pPixelData, pInfoBitmap, DIB_RGB_COLORS); /* Calculate the total length required for the BMP data */ - if (pInfoBitmap->bmiHeader.biClrUsed != 0) iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed; - else if (pInfoBitmap->bmiHeader.biBitCount <= 8) iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount; - else iNumPaletteEntries = 0; + if (pInfoBitmap->bmiHeader.biClrUsed != 0) { + iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed; + if (iNumPaletteEntries > 256) iNumPaletteEntries = 256; + } else { + if (pInfoBitmap->bmiHeader.biBitCount <= 8) + iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount; + else + iNumPaletteEntries = 0; + } *pLength = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + @@ -1624,6 +1630,7 @@ static int serializeIcon(HICON hIcon, void ** ppBuffer, unsigned int * pLength) || (pInfoBitmap->bmiHeader.biBitCount == 24) || (pInfoBitmap->bmiHeader.biBitCount == 32 && pInfoBitmap->bmiHeader.biCompression == BI_RGB)) { iNumEntriesPalette = pInfoBitmap->bmiHeader.biClrUsed; + if (iNumEntriesPalette > 256) iNumEntriesPalette = 256; } else if ((pInfoBitmap->bmiHeader.biBitCount == 16 || pInfoBitmap->bmiHeader.biBitCount == 32) && pInfoBitmap->bmiHeader.biCompression == BI_BITFIELDS) { iNumEntriesPalette = 3; diff --git a/dlls/wineps/ps.c b/dlls/wineps/ps.c index 810d306d8ed..c031300ef13 100644 --- a/dlls/wineps/ps.c +++ b/dlls/wineps/ps.c @@ -854,6 +854,7 @@ BOOL PSDRV_WriteDIBPatternDict(PSDRV_PDEVICE *physDev, BITMAPINFO *bmi, UINT usa bits = (char*)bmi + bmi->bmiHeader.biSize; colours = bmi->bmiHeader.biClrUsed; + if (colours > 256) colours = 256; if(!colours && bmi->bmiHeader.biBitCount <= 8) colours = 1 << bmi->bmiHeader.biBitCount; bits += colours * ((usage == DIB_RGB_COLORS) ? diff --git a/windows/cursoricon.c b/windows/cursoricon.c index 192000e9da8..69f38b030c6 100644 --- a/windows/cursoricon.c +++ b/windows/cursoricon.c @@ -219,6 +219,8 @@ static int bitmap_info_size( const BITMAPINFO * info, WORD coloruse ) else /* assume BITMAPINFOHEADER */ { colors = info->bmiHeader.biClrUsed; + if (colors > 256) /* buffer overflow otherwise */ + colors = 256; if (!colors && (info->bmiHeader.biBitCount <= 8)) colors = 1 << info->bmiHeader.biBitCount; return sizeof(BITMAPINFOHEADER) + colors * @@ -2043,6 +2045,7 @@ static void DIB_FixColorsToLoadflags(BITMAPINFO * bmi, UINT loadflags, BYTE pix) { incr = 4; colors = bmi->bmiHeader.biClrUsed; + if (colors > 256) colors = 256; if (!colors && (bpp <= 8)) colors = 1 << bpp; }