From 69abf20fcdbd34cdc80af6a2edc0ea2d59b604b6 Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Wed, 11 Sep 2013 17:30:46 +0200
Subject: [PATCH] gdi32: Add a check for overflow in DIB dimensions.

---
 dlls/gdi32/dib.c          |  5 +++++
 dlls/gdi32/tests/bitmap.c | 43 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/dlls/gdi32/dib.c b/dlls/gdi32/dib.c
index ad2a4dc6b23..adf29ea2f14 100644
--- a/dlls/gdi32/dib.c
+++ b/dlls/gdi32/dib.c
@@ -128,6 +128,11 @@ static BOOL is_valid_dib_format( const BITMAPINFOHEADER *info, BOOL allow_compre
 
     if (!info->biPlanes) return FALSE;
 
+    /* check for size overflow */
+    if (!info->biBitCount) return FALSE;
+    if (UINT_MAX / info->biBitCount < info->biWidth) return FALSE;
+    if (UINT_MAX / get_dib_stride( info->biWidth, info->biBitCount ) < abs( info->biHeight )) return FALSE;
+
     switch (info->biBitCount)
     {
     case 1:
diff --git a/dlls/gdi32/tests/bitmap.c b/dlls/gdi32/tests/bitmap.c
index f72574a7335..6b52356f1c6 100644
--- a/dlls/gdi32/tests/bitmap.c
+++ b/dlls/gdi32/tests/bitmap.c
@@ -1207,6 +1207,49 @@ static void test_dib_formats(void)
     ret = GetDIBits(hdc, hbmp, 0, 0, NULL, bi, DIB_PAL_COLORS+2);
     ok( !ret, "GetDIBits succeeded with DIB_PAL_COLORS+2\n" );
 
+    bi->bmiHeader.biWidth = 0x4000;
+    bi->bmiHeader.biHeight = 0x4000;
+    bi->bmiHeader.biBitCount = 1;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib != NULL, "CreateDIBSection failed with large size\n" );
+    DeleteObject( hdib );
+
+    bi->bmiHeader.biWidth = 0x8001;
+    bi->bmiHeader.biHeight = 0x8001;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 1;
+    bi->bmiHeader.biHeight = 0x40000001;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 2;
+    bi->bmiHeader.biHeight = 0x40000001;
+    bi->bmiHeader.biBitCount = 16;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 0x40000001;
+    bi->bmiHeader.biHeight = 1;
+    bi->bmiHeader.biBitCount = 32;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
+    bi->bmiHeader.biWidth = 0x40000001;
+    bi->bmiHeader.biHeight = 4;
+    bi->bmiHeader.biBitCount = 8;
+    bi->bmiHeader.biCompression = BI_RGB;
+    hdib = CreateDIBSection(hdc, bi, DIB_RGB_COLORS, &bits, NULL, 0);
+    ok( hdib == NULL, "CreateDIBSection succeeded with size overflow\n" );
+
     DeleteDC( memdc );
     DeleteObject( hbmp );
     ReleaseDC( 0, hdc );