From 9e989d3c52dc9dbc7cd0e921cf2d7b2466040560 Mon Sep 17 00:00:00 2001 From: Phil Krylov Date: Sat, 11 Nov 2023 21:46:45 +0100 Subject: [PATCH] 2023-11-11 21:41 UTC+0100 Phil Krylov (phil a t krylov.eu) (#335) 2023-11-11 21:41 UTC+0100 Phil Krylov (phil a t krylov.eu) * contrib/hbwin/win_bmp.c ! Fixed dangling pointer access (introduced in commit 64dba82) in WIN_DRAWBITMAP(). --- ChangeLog.txt | 5 +++++ contrib/hbwin/win_bmp.c | 9 ++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index e75b7eb395..ea38f8d36e 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -7,6 +7,11 @@ Entries may not always be in chronological/commit order. See license at the end of file. */ +2023-11-11 21:41 UTC+0100 Phil Krylov (phil a t krylov.eu) + * contrib/hbwin/win_bmp.c + ! Fixed dangling pointer access (introduced in commit 64dba82) in + WIN_DRAWBITMAP(). + 2023-11-11 21:08 UTC+0100 Phil Krylov (phil a t krylov.eu) * .github/workflows/linux-ci.yml * .github/workflows/macos-ci.yml diff --git a/contrib/hbwin/win_bmp.c b/contrib/hbwin/win_bmp.c index fec4e31a18..4df5720448 100644 --- a/contrib/hbwin/win_bmp.c +++ b/contrib/hbwin/win_bmp.c @@ -166,17 +166,18 @@ HB_FUNC( WIN_DRAWBITMAP ) BITMAPINFO * pbmi = NULL; BYTE * pBits = NULL; HDC hDC = hbwapi_par_HDC( 1 ); + /* FIXME: No check is done on 2nd parameter which is a large security hole + and may cause GPF in simple error cases. + [vszakats] */ HB_SIZE nSize = hb_parclen( 2 ); BITMAPFILEHEADER * pbmfh = ( BITMAPFILEHEADER * ) hb_parc( 2 ); int iType = hbwin_bitmapType( pbmfh, nSize ); - /* FIXME: No check is done on 2nd parameter which is a large security hole - and may cause GPF in simple error cases. - [vszakats] */ if( hbwin_bitmapIsSupported( hDC, iType, pbmfh, nSize ) == 0 ) { int iWidth = hb_parni( 7 ); int iHeight = hb_parni( 8 ); + BITMAPINFO bmi; if( iType == HB_WIN_BITMAP_BMP ) { @@ -197,8 +198,6 @@ HB_FUNC( WIN_DRAWBITMAP ) } else if( iWidth && iHeight ) { - BITMAPINFO bmi; - memset( &bmi, 0, sizeof( bmi ) ); bmi.bmiHeader.biSize = sizeof( BITMAPINFO ); bmi.bmiHeader.biWidth = iWidth;