Check for overflows with ClrUsed.

a34c2349 · Marcus Meissner · Alexandre Julliard · 30ed1000 · a34c2349 · a34c2349
Commit a34c2349 authored Feb 14, 2005 by Marcus Meissner Committed by Alexandre Julliard Feb 14, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

dib.c dlls/gdi/dib.c +1 -0

olepicture.c dlls/oleaut32/olepicture.c +10 -3

ps.c dlls/wineps/ps.c +1 -0

cursoricon.c windows/cursoricon.c +3 -0

No files found.
--- a/dlls/gdi/dib.c
+++ b/dlls/gdi/dib.c
@@ -133,6 +133,7 @@ int DIB_BitmapInfoSize( const BITMAPINFO * info, WORD coloruse )
    else  /* assume BITMAPINFOHEADER */
    {
        colors = info->bmiHeader.biClrUsed;
+        if (colors > 256) colors = 256;
        if (!colors && (info->bmiHeader.biBitCount <= 8))
            colors = 1 << info->bmiHeader.biBitCount;
        return sizeof(BITMAPINFOHEADER) + colors *

--- a/dlls/oleaut32/olepicture.c
+++ b/dlls/oleaut32/olepicture.c
@@ -1514,9 +1514,15 @@ static int serializeBMP(HBITMAP hBitmap, void ** ppBuffer, unsigned int * pLengt
    GetDIBits(hDC, hBitmap, 0, pInfoBitmap->bmiHeader.biHeight, pPixelData, pInfoBitmap, DIB_RGB_COLORS);

    /* Calculate the total length required for the BMP data */
-    if (pInfoBitmap->bmiHeader.biClrUsed != 0) iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
-    else if (pInfoBitmap->bmiHeader.biBitCount <= 8) iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
-    else iNumPaletteEntries = 0;
+    if (pInfoBitmap->bmiHeader.biClrUsed != 0) {
+	iNumPaletteEntries = pInfoBitmap->bmiHeader.biClrUsed;
+	if (iNumPaletteEntries > 256) iNumPaletteEntries = 256;
+    } else {
+	if (pInfoBitmap->bmiHeader.biBitCount <= 8)
+	    iNumPaletteEntries = 1 << pInfoBitmap->bmiHeader.biBitCount;
+	else
+    	    iNumPaletteEntries = 0;
+    }
    *pLength =
        sizeof(BITMAPFILEHEADER) +
        sizeof(BITMAPINFOHEADER) +
@@ -1624,6 +1630,7 @@ static int serializeIcon(HICON hIcon, void ** ppBuffer, unsigned int * pLength)
 				||	(pInfoBitmap->bmiHeader.biBitCount == 24)
 				||	(pInfoBitmap->bmiHeader.biBitCount == 32 && pInfoBitmap->bmiHeader.biCompression == BI_RGB)) {
 				iNumEntriesPalette = pInfoBitmap->bmiHeader.biClrUsed;
+				if (iNumEntriesPalette > 256) iNumEntriesPalette = 256; 
 			} else if ((pInfoBitmap->bmiHeader.biBitCount == 16 || pInfoBitmap->bmiHeader.biBitCount == 32)
 				&& pInfoBitmap->bmiHeader.biCompression == BI_BITFIELDS) {
 				iNumEntriesPalette = 3;

--- a/dlls/wineps/ps.c
+++ b/dlls/wineps/ps.c
@@ -854,6 +854,7 @@ BOOL PSDRV_WriteDIBPatternDict(PSDRV_PDEVICE *physDev, BITMAPINFO *bmi, UINT usa

    bits = (char*)bmi + bmi->bmiHeader.biSize;
    colours = bmi->bmiHeader.biClrUsed;
+    if (colours > 256) colours = 256;
    if(!colours && bmi->bmiHeader.biBitCount <= 8)
        colours = 1 << bmi->bmiHeader.biBitCount;
    bits += colours * ((usage == DIB_RGB_COLORS) ?

--- a/windows/cursoricon.c
+++ b/windows/cursoricon.c
@@ -219,6 +219,8 @@ static int bitmap_info_size( const BITMAPINFO * info, WORD coloruse )
    else  /* assume BITMAPINFOHEADER */
    {
        colors = info->bmiHeader.biClrUsed;
+	if (colors > 256) /* buffer overflow otherwise */
+		colors = 256;
        if (!colors && (info->bmiHeader.biBitCount <= 8))
            colors = 1 << info->bmiHeader.biBitCount;
        return sizeof(BITMAPINFOHEADER) + colors *
@@ -2043,6 +2045,7 @@ static void DIB_FixColorsToLoadflags(BITMAPINFO * bmi, UINT loadflags, BYTE pix)
  {
      incr = 4;
      colors = bmi->bmiHeader.biClrUsed;
+      if (colors > 256) colors = 256;
      if (!colors && (bpp <= 8)) colors = 1 << bpp;
  }