kernel32: Validate handle before freeing a LOAD_LIBRARY_AS_DATAFILE module.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=46019Signed-off-by: Alexandre Julliard <julliard@winehq.org>

kernel32: Validate handle before freeing a LOAD_LIBRARY_AS_DATAFILE module.
35d202fc · Alexandre Julliard · f2deab41 · 35d202fc · 35d202fc
Commit 35d202fc authored Apr 05, 2019 by Alexandre Julliard
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

module.c dlls/kernel32/module.c +7 -1

module.c dlls/kernel32/tests/module.c +5 -0

No files found.
--- a/dlls/kernel32/module.c
+++ b/dlls/kernel32/module.c
@@ -1102,6 +1102,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule)
    if ((ULONG_PTR)hLibModule & 3) /* this is a datafile module */
    {
+        void *ptr = (void *)((ULONG_PTR)hLibModule & ~3);
+        if (!RtlImageNtHeader( ptr ))
+        {
+            SetLastError( ERROR_BAD_EXE_FORMAT );
+            return FALSE;
+        }
        if ((ULONG_PTR)hLibModule & 1)
        {
            struct exclusive_datafile *file;
@@ -1119,7 +1125,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH FreeLibrary(HINSTANCE hLibModule)
            }
            LdrUnlockLoaderLock( 0, magic );
        }
-        return UnmapViewOfFile( (void *)((ULONG_PTR)hLibModule & ~3) );
+        return UnmapViewOfFile( ptr );
    }
    if ((nts = LdrUnloadDll( hLibModule )) == STATUS_SUCCESS) retv = TRUE;

--- a/dlls/kernel32/tests/module.c
+++ b/dlls/kernel32/tests/module.c
@@ -430,6 +430,11 @@ static void testLoadLibraryEx(void)
    ok(hmodule != 0, "Expected valid module handle\n");
    SetLastError(0xdeadbeef);
+    ret = FreeLibrary( (HMODULE)((ULONG_PTR)hmodule + 0x1230));
+    ok(!ret, "Free succeeded on wrong handle\n");
+    ok(GetLastError() == ERROR_BAD_EXE_FORMAT, "wrong error %u\n", GetLastError());
+    SetLastError(0xdeadbeef);
    ret = FreeLibrary(hmodule);
    ok(ret, "Expected to be able to free the module, failed with %d\n", GetLastError());
    SetLastError(0xdeadbeef);