[gtk+/gtk-2-24] win32: add more clipboard data checks to avoid crash



commit dd37429b51e07a61b309b0620f49e235bfe0a9c7
Author: Marc-André Lureau <marcandre lureau gmail com>
Date:   Tue Apr 22 19:47:47 2014 +0200

    win32: add more clipboard data checks to avoid crash
    
    It may happen that the received clipboard data is empty, but
    if it's of type image/bmp, gtk+ will crash:
    
    gdk_property_change: 00030AD4 GDK_SELECTION image/bmp REPLACE 8*0 bits:
    ... delayed rendering
    gdk_selection_send_notify_for_display: 00030AD4 CLIPBOARD image/bmp
    GDK_SELECTION (no-op)
    _gdk_win32_selection_convert_to_dib: 1252003C image/bmp
    
    Program received signal SIGSEGV, Segmentation fault.
    0x749a9f40 in msvcrt!memmove () from C:\Windows\syswow64\msvcrt.dll
    
    Thread 1 (Thread 2248.0x1b34):
    target=0xc07b) at gdkselection-win32.c:1292
    at gdkevents-win32.c:3498
    wparam=8, lparam=0) at gdkevents-win32.c:232
    message=773, wparam=8, lparam=0)
        at gdkevents-win32.c:263
    C:\Windows\syswow64\user32.dll
    C:\Users\rugoosse\AppData\Local\virt-viewer\bin\libpangocairo-1.0-0.dll
    wparam=0, lparam=-1687549457)
        at gdkevents-win32.c:248
    C:\Users\rugoosse\AppData\Local\virt-viewer\bin\libpangocairo-1.0-0.dll
    
    https://bugzilla.gnome.org/show_bug.cgi?id=728745

 gdk/win32/gdkproperty-win32.c  |    6 ++++++
 gdk/win32/gdkselection-win32.c |    2 ++
 2 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/gdk/win32/gdkproperty-win32.c b/gdk/win32/gdkproperty-win32.c
index 39163b5..88a29e8 100644
--- a/gdk/win32/gdkproperty-win32.c
+++ b/gdk/win32/gdkproperty-win32.c
@@ -193,6 +193,12 @@ gdk_property_change (GdkWindow    *window,
       format == 8 &&
       mode == GDK_PROP_MODE_REPLACE)
     {
+      if (type == _image_bmp && nelements < sizeof (BITMAPFILEHEADER))
+        {
+           g_warning ("Clipboard contains invalid bitmap data");
+           return;
+        }
+
       if (type == _utf8_string)
        {
          if (!OpenClipboard (GDK_WINDOW_HWND (window)))
diff --git a/gdk/win32/gdkselection-win32.c b/gdk/win32/gdkselection-win32.c
index 41d4d3d..1b497c5 100644
--- a/gdk/win32/gdkselection-win32.c
+++ b/gdk/win32/gdkselection-win32.c
@@ -1286,6 +1286,8 @@ _gdk_win32_selection_convert_to_dib (HGLOBAL  hdata,
 
   if (target == _image_bmp)
     {
+      g_return_val_if_fail (GlobalSize (hdata) >= sizeof (BITMAPFILEHEADER), NULL);
+
       /* No conversion is needed, just strip the BITMAPFILEHEADER */
       HGLOBAL hdatanew;
       SIZE_T size = GlobalSize (hdata) - sizeof (BITMAPFILEHEADER);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]