Commit 2ae7ecb9 authored by Dmitry Timoshkov's avatar Dmitry Timoshkov Committed by Alexandre Julliard

uxtheme: Protect CloseThemeData() from invalid input.

With test case by Michael Müller <michael@fds-team.de>. Zhiyi Zhang's comments: Some applications close the same HTHEME handle more than once, causing use-after-free. HTHEME is a handle rather than a pointer. Some testing shows that it's a handle starting from 0x10000 or 0x20000. Each new handle increments from the first handle and closing handles decrements it. I prefer not to implement this handle to data map for now because it will likely hurt performance. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=29974
parent ae3c9e32
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include "msstyles.h" #include "msstyles.h"
#include "wine/exception.h"
#include "wine/debug.h" #include "wine/debug.h"
#include "wine/heap.h" #include "wine/heap.h"
...@@ -49,6 +50,8 @@ static HRESULT MSSTYLES_GetFont (LPCWSTR lpStringStart, LPCWSTR lpStringEnd, LPC ...@@ -49,6 +50,8 @@ static HRESULT MSSTYLES_GetFont (LPCWSTR lpStringStart, LPCWSTR lpStringEnd, LPC
#define MSSTYLES_VERSION 0x0003 #define MSSTYLES_VERSION 0x0003
#define THEME_CLASS_SIGNATURE 0x12bc6d83
static PTHEME_FILE tfActiveTheme; static PTHEME_FILE tfActiveTheme;
/***********************************************************************/ /***********************************************************************/
...@@ -204,6 +207,7 @@ void MSSTYLES_CloseThemeFile(PTHEME_FILE tf) ...@@ -204,6 +207,7 @@ void MSSTYLES_CloseThemeFile(PTHEME_FILE tf)
pcls->partstate = ps->next; pcls->partstate = ps->next;
heap_free(ps); heap_free(ps);
} }
pcls->signature = 0;
heap_free(pcls); heap_free(pcls);
} }
} }
...@@ -442,6 +446,7 @@ static PTHEME_CLASS MSSTYLES_AddClass(PTHEME_FILE tf, LPCWSTR pszAppName, LPCWST ...@@ -442,6 +446,7 @@ static PTHEME_CLASS MSSTYLES_AddClass(PTHEME_FILE tf, LPCWSTR pszAppName, LPCWST
if(cur) return cur; if(cur) return cur;
cur = heap_alloc(sizeof(*cur)); cur = heap_alloc(sizeof(*cur));
cur->signature = THEME_CLASS_SIGNATURE;
cur->hTheme = tf->hTheme; cur->hTheme = tf->hTheme;
lstrcpyW(cur->szAppName, pszAppName); lstrcpyW(cur->szAppName, pszAppName);
lstrcpyW(cur->szClassName, pszClassName); lstrcpyW(cur->szClassName, pszClassName);
...@@ -1075,6 +1080,23 @@ PTHEME_CLASS MSSTYLES_OpenThemeClass(LPCWSTR pszAppName, LPCWSTR pszClassList, U ...@@ -1075,6 +1080,23 @@ PTHEME_CLASS MSSTYLES_OpenThemeClass(LPCWSTR pszAppName, LPCWSTR pszClassList, U
*/ */
HRESULT MSSTYLES_CloseThemeClass(PTHEME_CLASS tc) HRESULT MSSTYLES_CloseThemeClass(PTHEME_CLASS tc)
{ {
__TRY
{
if (tc->signature != THEME_CLASS_SIGNATURE)
tc = NULL;
}
__EXCEPT_PAGE_FAULT
{
tc = NULL;
}
__ENDTRY
if (!tc)
{
WARN("Invalid theme class handle\n");
return E_HANDLE;
}
MSSTYLES_CloseThemeFile (tc->tf); MSSTYLES_CloseThemeFile (tc->tf);
return S_OK; return S_OK;
} }
......
...@@ -49,6 +49,7 @@ typedef struct _THEME_PARTSTATE { ...@@ -49,6 +49,7 @@ typedef struct _THEME_PARTSTATE {
struct _THEME_FILE; struct _THEME_FILE;
typedef struct _THEME_CLASS { typedef struct _THEME_CLASS {
DWORD signature;
HMODULE hTheme; HMODULE hTheme;
struct _THEME_FILE* tf; struct _THEME_FILE* tf;
WCHAR szAppName[MAX_THEME_APP_NAME]; WCHAR szAppName[MAX_THEME_APP_NAME];
......
...@@ -835,6 +835,8 @@ static void test_CloseThemeData(void) ...@@ -835,6 +835,8 @@ static void test_CloseThemeData(void)
ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes); ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
hRes = CloseThemeData(INVALID_HANDLE_VALUE); hRes = CloseThemeData(INVALID_HANDLE_VALUE);
ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes); ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
hRes = CloseThemeData((HTHEME)0xdeadbeef);
ok(hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
} }
static void test_buffer_dc_props(HDC hdc, const RECT *rect) static void test_buffer_dc_props(HDC hdc, const RECT *rect)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment