user32: Add size checks when creating an icon from bitmap info.

267109d6 · Alexandre Julliard · 03395f2d · 267109d6
Commit 267109d6 authored Mar 28, 2013 by Alexandre Julliard
Show whitespace changes
Inline Side-by-side

Showing with 47 additions and 16 deletions

cursoricon.c dlls/user32/cursoricon.c +47 -16

No files found.
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -796,11 +796,11 @@ done:
 *
 * Create an icon from its BITMAPINFO.
 */
-static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resname, HRSRC rsrc,
+static HICON create_icon_from_bmi( const BITMAPINFO *bmi, DWORD maxsize, HMODULE module, LPCWSTR resname,
-                                   POINT hotspot, BOOL bIcon, INT width, INT height, UINT cFlag )
+                                   HRSRC rsrc, POINT hotspot, BOOL bIcon, INT width, INT height,
+                                   UINT cFlag )
 {
-    unsigned int size = bitmap_info_size( bmi, DIB_RGB_COLORS );
+    DWORD size, color_size, mask_size;
-    BOOL monochrome = is_dib_monochrome( bmi );
    HBITMAP color = 0, mask = 0, alpha = 0;
    const void *color_bits, *mask_bits;
    BITMAPINFO *bmi_copy;
@@ -811,14 +811,35 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
    /* Check bitmap header */
+    if (maxsize < sizeof(BITMAPCOREHEADER))
+    {
+        WARN( "invalid size %u\n", maxsize );
+        return 0;
+    }
+    if (maxsize < bmi->bmiHeader.biSize)
+    {
+        WARN( "invalid header size %u\n", bmi->bmiHeader.biSize );
+        return 0;
+    }
    if ( (bmi->bmiHeader.biSize != sizeof(BITMAPCOREHEADER)) &&
         (bmi->bmiHeader.biSize != sizeof(BITMAPINFOHEADER)  ||
         (bmi->bmiHeader.biCompression != BI_RGB &&
          bmi->bmiHeader.biCompression != BI_BITFIELDS)) )
    {
-          WARN_(cursor)("\tinvalid resource bitmap header.\n");
+        WARN( "invalid bitmap header %u\n", bmi->bmiHeader.biSize );
+        return 0;
+    }
+    size = bitmap_info_size( bmi, DIB_RGB_COLORS );
+    color_size = get_dib_image_size( bmi->bmiHeader.biWidth, bmi->bmiHeader.biHeight / 2,
+                                     bmi->bmiHeader.biBitCount );
+    mask_size = get_dib_image_size( bmi->bmiHeader.biWidth, bmi->bmiHeader.biHeight / 2, 1 );
+    if (size > maxsize || color_size > maxsize - size)
+    {
+        WARN( "truncated file %u < %u+%u+%u\n", maxsize, size, color_size, mask_size );
        return 0;
    }
+    if (mask_size > maxsize - size - color_size) mask_size = 0;  /* no mask */
    if (cFlag & LR_DEFAULTSIZE)
    {
@@ -856,11 +877,10 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
    bmi_copy->bmiHeader.biHeight /= 2;
    color_bits = (const char*)bmi + size;
-    mask_bits = (const char*)color_bits +
+    mask_bits = (const char*)color_bits + color_size;
-        get_dib_image_size( bmi->bmiHeader.biWidth, bmi_copy->bmiHeader.biHeight, bmi->bmiHeader.biBitCount );
    alpha = 0;
-    if (monochrome)
+    if (is_dib_monochrome( bmi ))
    {
        if (!(mask = CreateBitmap( width, height * 2, 1, 1, NULL ))) goto done;
        color = 0;
@@ -908,10 +928,13 @@ static HICON create_icon_from_bmi( BITMAPINFO *bmi, HMODULE module, LPCWSTR resn
        }
    }
+    if (mask_size)
+    {
        SelectObject( hdc, mask );
        StretchDIBits( hdc, 0, 0, width, height,
                       0, 0, bmi_copy->bmiHeader.biWidth, bmi_copy->bmiHeader.biHeight,
                       mask_bits, bmi_copy, DIB_RGB_COLORS, SRCCOPY );
+    }
    ret = TRUE;
 done:
@@ -1170,7 +1193,6 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
                                            bits + bits_size - icon_data,
                                            width, height, depth, loadflags );
-        bmi = (const BITMAPINFO *) (icon_data + entry->dwDIBOffset);
        info->hotspot.x = entry->xHotspot;
        info->hotspot.y = entry->yHotspot;
        if (!header.width || !header.height)
@@ -1184,9 +1206,16 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
            frameHeight = header.height;
        }
+        frames[i] = NULL;
+        if (entry->dwDIBOffset < bits + bits_size - icon_data)
+        {
+            bmi = (const BITMAPINFO *) (icon_data + entry->dwDIBOffset);
            /* Grab a frame from the animation */
-        frames[i] = create_icon_from_bmi( (BITMAPINFO *)bmi, NULL, NULL, NULL, info->hotspot,
+            frames[i] = create_icon_from_bmi( bmi, bits + bits_size - (const BYTE *)bmi,
+                                              NULL, NULL, NULL, info->hotspot,
                                              is_icon, frameWidth, frameHeight, loadflags );
+        }
        if (!frames[i])
        {
            FIXME_(cursor)("failed to convert animated cursor frame.\n");
@@ -1250,8 +1279,7 @@ static HCURSOR CURSORICON_CreateIconFromANI( const LPBYTE bits, DWORD bits_size,
 /**********************************************************************
 *		CreateIconFromResourceEx (USER32.@)
 *
- * FIXME: Convert to mono when cFlag is LR_MONOCHROME. Do something
+ * FIXME: Convert to mono when cFlag is LR_MONOCHROME.
- *        with cbSize parameter as well.
 */
 HICON WINAPI CreateIconFromResourceEx( LPBYTE bits, UINT cbSize,
                                       BOOL bIcon, DWORD dwVersion,
@@ -1290,9 +1318,10 @@ HICON WINAPI CreateIconFromResourceEx( LPBYTE bits, UINT cbSize,
        hotspot.x = pt[0];
        hotspot.y = pt[1];
        bmi = (BITMAPINFO *)(pt + 2);
+        cbSize -= 2 * sizeof(*pt);
    }
-    return create_icon_from_bmi( bmi, NULL, NULL, NULL, hotspot, bIcon, width, height, cFlag );
+    return create_icon_from_bmi( bmi, cbSize, NULL, NULL, NULL, hotspot, bIcon, width, height, cFlag );
 }
@@ -1350,8 +1379,8 @@ static HICON CURSORICON_LoadFromFile( LPCWSTR filename,
    hotspot.x = entry->xHotspot;
    hotspot.y = entry->yHotspot;
-    hIcon = create_icon_from_bmi( (BITMAPINFO *)&bits[entry->dwDIBOffset], NULL, NULL, NULL,
+    hIcon = create_icon_from_bmi( (BITMAPINFO *)&bits[entry->dwDIBOffset], filesize - entry->dwDIBOffset,
-                                  hotspot, !fCursor, width, height, loadflags );
+                                  NULL, NULL, NULL, hotspot, !fCursor, width, height, loadflags );
 end:
    TRACE("loaded %s -> %p\n", debugstr_w( filename ), hIcon );
    UnmapViewOfFile( bits );
@@ -1438,6 +1467,7 @@ static HICON CURSORICON_Load(HINSTANCE hInstance, LPCWSTR name,
    }
    if (!(handle = LoadResource( hInstance, hRsrc ))) return 0;
+    size = SizeofResource( hInstance, hRsrc );
    bits = LockResource( handle );
    if (!fCursor)
@@ -1451,8 +1481,9 @@ static HICON CURSORICON_Load(HINSTANCE hInstance, LPCWSTR name,
        hotspot.x = pt[0];
        hotspot.y = pt[1];
        bits += 2 * sizeof(SHORT);
+        size -= 2 * sizeof(SHORT);
    }
-    hIcon = create_icon_from_bmi( (BITMAPINFO *)bits, hInstance, name, hRsrc,
+    hIcon = create_icon_from_bmi( (BITMAPINFO *)bits, size, hInstance, name, hRsrc,
                                  hotspot, !fCursor, width, height, loadflags );
    FreeResource( handle );
    return hIcon;