From 1fcc4ffdfa84dd6d56f7947c43ebe1d8446b9d8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Villac=C3=ADs=20Lasso?= Date: Fri, 11 Apr 2008 10:19:00 -0500 Subject: [PATCH] user32: LoadImage(IMAGE_BITMAP) should reject invalid BMP files (with tests). --- dlls/user32/cursoricon.c | 11 ++++ dlls/user32/tests/cursoricon.c | 111 +++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+) diff --git a/dlls/user32/cursoricon.c b/dlls/user32/cursoricon.c index df6a40879fa..153a2a4f089 100644 --- a/dlls/user32/cursoricon.c +++ b/dlls/user32/cursoricon.c @@ -2148,8 +2148,19 @@ static HBITMAP BITMAP_Load( HINSTANCE instance, LPCWSTR name, } else { + BITMAPFILEHEADER * bmfh; + if (!(ptr = map_fileW( name, NULL ))) return 0; info = (BITMAPINFO *)(ptr + sizeof(BITMAPFILEHEADER)); + bmfh = (BITMAPFILEHEADER *)ptr; + if (!( bmfh->bfType == 0x4d42 /* 'BM' */ && + bmfh->bfReserved1 == 0 && + bmfh->bfReserved2 == 0)) + { + WARN("Invalid/unsupported bitmap format!\n"); + UnmapViewOfFile( ptr ); + return 0; + } } size = bitmap_info_size(info, DIB_RGB_COLORS); diff --git a/dlls/user32/tests/cursoricon.c b/dlls/user32/tests/cursoricon.c index 7ea79ad0119..40f3a1413f2 100644 --- a/dlls/user32/tests/cursoricon.c +++ b/dlls/user32/tests/cursoricon.c @@ -583,6 +583,111 @@ static void test_CreateIcon(void) DeleteObject(hbmColor); } +/* Shamelessly ripped from dlls/oleaut32/tests/olepicture.c */ +/* 1x1 pixel gif */ +static const unsigned char gifimage[35] = { +0x47,0x49,0x46,0x38,0x37,0x61,0x01,0x00,0x01,0x00,0x80,0x00,0x00,0xff,0xff,0xff, +0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x02,0x02,0x44, +0x01,0x00,0x3b +}; + +/* 1x1 pixel jpg */ +static const unsigned char jpgimage[285] = { +0xff,0xd8,0xff,0xe0,0x00,0x10,0x4a,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x01,0x2c, +0x01,0x2c,0x00,0x00,0xff,0xdb,0x00,0x43,0x00,0x05,0x03,0x04,0x04,0x04,0x03,0x05, +0x04,0x04,0x04,0x05,0x05,0x05,0x06,0x07,0x0c,0x08,0x07,0x07,0x07,0x07,0x0f,0x0b, +0x0b,0x09,0x0c,0x11,0x0f,0x12,0x12,0x11,0x0f,0x11,0x11,0x13,0x16,0x1c,0x17,0x13, +0x14,0x1a,0x15,0x11,0x11,0x18,0x21,0x18,0x1a,0x1d,0x1d,0x1f,0x1f,0x1f,0x13,0x17, +0x22,0x24,0x22,0x1e,0x24,0x1c,0x1e,0x1f,0x1e,0xff,0xdb,0x00,0x43,0x01,0x05,0x05, +0x05,0x07,0x06,0x07,0x0e,0x08,0x08,0x0e,0x1e,0x14,0x11,0x14,0x1e,0x1e,0x1e,0x1e, +0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e, +0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e, +0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0x1e,0xff,0xc0, +0x00,0x11,0x08,0x00,0x01,0x00,0x01,0x03,0x01,0x22,0x00,0x02,0x11,0x01,0x03,0x11, +0x01,0xff,0xc4,0x00,0x15,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, +0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,0xff,0xc4,0x00,0x14,0x10,0x01,0x00,0x00, +0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xc4, +0x00,0x14,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, +0x00,0x00,0x00,0x00,0xff,0xc4,0x00,0x14,0x11,0x01,0x00,0x00,0x00,0x00,0x00,0x00, +0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xda,0x00,0x0c,0x03,0x01, +0x00,0x02,0x11,0x03,0x11,0x00,0x3f,0x00,0xb2,0xc0,0x07,0xff,0xd9 +}; + +/* 1x1 pixel png */ +static const unsigned char pngimage[285] = { +0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a,0x00,0x00,0x00,0x0d,0x49,0x48,0x44,0x52, +0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x08,0x02,0x00,0x00,0x00,0x90,0x77,0x53, +0xde,0x00,0x00,0x00,0x09,0x70,0x48,0x59,0x73,0x00,0x00,0x0b,0x13,0x00,0x00,0x0b, +0x13,0x01,0x00,0x9a,0x9c,0x18,0x00,0x00,0x00,0x07,0x74,0x49,0x4d,0x45,0x07,0xd5, +0x06,0x03,0x0f,0x07,0x2d,0x12,0x10,0xf0,0xfd,0x00,0x00,0x00,0x0c,0x49,0x44,0x41, +0x54,0x08,0xd7,0x63,0xf8,0xff,0xff,0x3f,0x00,0x05,0xfe,0x02,0xfe,0xdc,0xcc,0x59, +0xe7,0x00,0x00,0x00,0x00,0x49,0x45,0x4e,0x44,0xae,0x42,0x60,0x82 +}; + +/* 1x1 pixel bmp */ +static const unsigned char bmpimage[66] = { +0x42,0x4d,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x3e,0x00,0x00,0x00,0x28,0x00, +0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00, +0x00,0x00,0x04,0x00,0x00,0x00,0x12,0x0b,0x00,0x00,0x12,0x0b,0x00,0x00,0x02,0x00, +0x00,0x00,0x02,0x00,0x00,0x00,0xff,0xff,0xff,0x00,0xff,0xff,0xff,0x00,0x00,0x00, +0x00,0x00 +}; + +/* 2x2 pixel gif */ +static const unsigned char gif4pixel[42] = { +0x47,0x49,0x46,0x38,0x37,0x61,0x02,0x00,0x02,0x00,0xa1,0x00,0x00,0x00,0x00,0x00, +0x39,0x62,0xfc,0xff,0x1a,0xe5,0xff,0xff,0xff,0x2c,0x00,0x00,0x00,0x00,0x02,0x00, +0x02,0x00,0x00,0x02,0x03,0x14,0x16,0x05,0x00,0x3b +}; + +static void test_LoadImageFile(const unsigned char * image_data, + unsigned int image_size, const char * ext, BOOL expect_success) +{ + HANDLE handle; + BOOL ret; + DWORD error, bytes_written; + char filename[64]; + + strcpy(filename, "test."); + strcat(filename, ext); + + /* Create the test image. */ + handle = CreateFileA(filename, GENERIC_READ|GENERIC_WRITE, 0, NULL, CREATE_NEW, + FILE_ATTRIBUTE_NORMAL, NULL); + ok(handle != INVALID_HANDLE_VALUE, "CreateFileA failed. %u\n", GetLastError()); + ret = WriteFile(handle, image_data, image_size, &bytes_written, NULL); + ok(bytes_written == image_size, "test file created improperly.\n"); + CloseHandle(handle); + + /* Load as cursor. For all tested formats, this should fail */ + SetLastError(0xdeadbeef); + handle = LoadImageA(NULL, filename, IMAGE_CURSOR, 0, 0, LR_LOADFROMFILE); + ok(handle == NULL, "LoadImage(%s) as IMAGE_CURSOR succeeded incorrectly.\n", ext); + error = GetLastError(); + ok(error == 0, "Last error: %u\n", error); + if (handle != NULL) DestroyCursor(handle); + + /* Load as icon. For all tested formats, this should fail */ + SetLastError(0xdeadbeef); + handle = LoadImageA(NULL, filename, IMAGE_ICON, 0, 0, LR_LOADFROMFILE); + ok(handle == NULL, "LoadImage(%s) as IMAGE_ICON succeeded incorrectly.\n", ext); + error = GetLastError(); + ok(error == 0, "Last error: %u\n", error); + if (handle != NULL) DestroyIcon(handle); + + /* Load as bitmap. Should succeed if bmp, fail for everything else */ + SetLastError(0xdeadbeef); + handle = LoadImageA(NULL, filename, IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE); + if (expect_success) + ok(handle != NULL, "LoadImage(%s) as IMAGE_BITMAP failed.\n", ext); + else ok(handle == NULL, "LoadImage(%s) as IMAGE_BITMAP succeeded incorrectly.\n", ext); + error = GetLastError(); + ok(error == 0, "Last error: %u\n", error); + if (handle != NULL) DeleteObject(handle); + + DeleteFileA(filename); +} + static void test_LoadImage(void) { HANDLE handle; @@ -668,6 +773,12 @@ static void test_LoadImage(void) HeapFree(GetProcessHeap(), 0, icon_data); DeleteFileA("icon.ico"); + + test_LoadImageFile(bmpimage, sizeof(bmpimage), "bmp", 1); + test_LoadImageFile(gifimage, sizeof(gifimage), "gif", 0); + test_LoadImageFile(gif4pixel, sizeof(gif4pixel), "gif", 0); + test_LoadImageFile(jpgimage, sizeof(jpgimage), "jpg", 0); + test_LoadImageFile(pngimage, sizeof(pngimage), "png", 0); } static void test_DestroyCursor(void)