user32: Validate DIB offset in CURSORICON_GetFileEntry.

Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

user32: Validate DIB offset in CURSORICON_GetFileEntry.
9256017a · Bernhard Übelacker · Alexandre Julliard · 318edcc9 · 9256017a · 9256017a
Commit 9256017a authored Jan 28, 2018 by Bernhard Übelacker Committed by Alexandre Julliard Jan 30, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

cursoricon.c dlls/user32/cursoricon.c +1 -0

cursoricon.c dlls/user32/tests/cursoricon.c +8 -0

No files found.
--- a/dlls/user32/cursoricon.c
+++ b/dlls/user32/cursoricon.c
@@ -678,6 +678,7 @@ static BOOL CURSORICON_GetFileEntry( LPCVOID dir, DWORD size, int n,
    if ((const char *)&filedir->idEntries[n + 1] - (const char *)dir > size)
        return FALSE;
    entry = &filedir->idEntries[n];
+    if (entry->dwDIBOffset > size - sizeof(info->biSize)) return FALSE;
    info = (const BITMAPINFOHEADER *)((const char *)dir + entry->dwDIBOffset);
    if (info->biSize != sizeof(BITMAPCOREHEADER))
    {

--- a/dlls/user32/tests/cursoricon.c
+++ b/dlls/user32/tests/cursoricon.c
@@ -1031,6 +1031,12 @@ static const unsigned char gif4pixel[42] = {
 0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b
 };
+/* An invalid cursor with an invalid dwDIBOffset */
+static const unsigned char invalid_dwDIBOffset[] = {
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00
+};
 static const DWORD biSize_tests[] = {
    0,
    sizeof(BITMAPCOREHEADER) - 1,
@@ -1320,6 +1326,8 @@ static void test_LoadImage(void)
        test_LoadImageFile("BMP (broken biSize)", bmpimage, sizeof(bmpimage), "bmp", 0);
    }
    bitmap_header->biSize = sizeof(BITMAPINFOHEADER);
+    test_LoadImageFile("Cursor (invalid dwDIBOffset)", invalid_dwDIBOffset, sizeof(invalid_dwDIBOffset), "cur", 0);
 }
 #undef ARRAY_SIZE