uxtheme: Protect CloseThemeData() from invalid input.

With test case by Michael Müller <michael@fds-team.de>. Zhiyi Zhang's comments: Some applications close the same HTHEME handle more than once, causing use-after-free. HTHEME is a handle rather than a pointer. Some testing shows that it's a handle starting from 0x10000 or 0x20000. Each new handle increments from the first handle and closing handles decrements it. I prefer not to implement this handle to data map for now because it will likely hurt performance. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=29974

uxtheme: Protect CloseThemeData() from invalid input.
2ae7ecb9 · Dmitry Timoshkov · Alexandre Julliard · ae3c9e32 · 2ae7ecb9 · 2ae7ecb9
Commit 2ae7ecb9 authored Aug 12, 2022 by Dmitry Timoshkov Committed by Alexandre Julliard Nov 08, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 0 deletions

msstyles.c dlls/uxtheme/msstyles.c +22 -0

msstyles.h dlls/uxtheme/msstyles.h +1 -0

system.c dlls/uxtheme/tests/system.c +2 -0

No files found.
--- a/dlls/uxtheme/msstyles.c
+++ b/dlls/uxtheme/msstyles.c
@@ -32,6 +32,7 @@

 #include "msstyles.h"

+#include "wine/exception.h"
 #include "wine/debug.h"
 #include "wine/heap.h"

@@ -49,6 +50,8 @@ static HRESULT MSSTYLES_GetFont (LPCWSTR lpStringStart, LPCWSTR lpStringEnd, LPC

 #define MSSTYLES_VERSION 0x0003

+#define THEME_CLASS_SIGNATURE 0x12bc6d83
+
 static PTHEME_FILE tfActiveTheme;

 /***********************************************************************/
@@ -204,6 +207,7 @@ void MSSTYLES_CloseThemeFile(PTHEME_FILE tf)
                        pcls->partstate = ps->next;
                        heap_free(ps);
                    }
+                    pcls->signature = 0;
                    heap_free(pcls);
                }
            }
@@ -442,6 +446,7 @@ static PTHEME_CLASS MSSTYLES_AddClass(PTHEME_FILE tf, LPCWSTR pszAppName, LPCWST
    if(cur) return cur;

    cur = heap_alloc(sizeof(*cur));
+    cur->signature = THEME_CLASS_SIGNATURE;
    cur->hTheme = tf->hTheme;
    lstrcpyW(cur->szAppName, pszAppName);
    lstrcpyW(cur->szClassName, pszClassName);
@@ -1075,6 +1080,23 @@ PTHEME_CLASS MSSTYLES_OpenThemeClass(LPCWSTR pszAppName, LPCWSTR pszClassList, U
 */
 HRESULT MSSTYLES_CloseThemeClass(PTHEME_CLASS tc)
 {
+    __TRY
+    {
+        if (tc->signature != THEME_CLASS_SIGNATURE)
+            tc = NULL;
+    }
+    __EXCEPT_PAGE_FAULT
+    {
+        tc = NULL;
+    }
+    __ENDTRY
+
+    if (!tc)
+    {
+        WARN("Invalid theme class handle\n");
+        return E_HANDLE;
+    }
+
    MSSTYLES_CloseThemeFile (tc->tf);
    return S_OK;
 }

--- a/dlls/uxtheme/msstyles.h
+++ b/dlls/uxtheme/msstyles.h
@@ -49,6 +49,7 @@ typedef struct _THEME_PARTSTATE {
 struct _THEME_FILE;

 typedef struct _THEME_CLASS {
+    DWORD signature;
    HMODULE hTheme;
    struct _THEME_FILE* tf;
    WCHAR szAppName[MAX_THEME_APP_NAME];

--- a/dlls/uxtheme/tests/system.c
+++ b/dlls/uxtheme/tests/system.c
@@ -835,6 +835,8 @@ static void test_CloseThemeData(void)
    ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
    hRes = CloseThemeData(INVALID_HANDLE_VALUE);
    ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
+    hRes = CloseThemeData((HTHEME)0xdeadbeef);
+    ok(hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08lx\n", hRes);
 }

 static void test_buffer_dc_props(HDC hdc, const RECT *rect)