Added patch to protect CloseThemeData from invalid input.

2025-01-28 22:04:43 -08:00 · 2016-12-20 23:39:26 +01:00 · 2016-12-20 23:39:26 +01:00 · 19e7aeae51
commit 19e7aeae51
parent 1740d793d8
3 changed files with 135 additions and 0 deletions
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -340,6 +340,7 @@ patch_enable_all ()
 	enable_user32_ScrollWindowEx="$1"
 	enable_user32_WM_MEASUREITEM="$1"
 	enable_user32_lpCreateParams="$1"
+	enable_uxtheme_CloseThemeClass="$1"
 	enable_uxtheme_GTK_Theming="$1"
 	enable_version_GetFileVersionInfoSizeExW="$1"
 	enable_version_VerFindFileA="$1"
@ -1202,6 +1203,9 @@ patch_enable ()
 		user32-lpCreateParams)
 			enable_user32_lpCreateParams="$2"
 			;;
+		uxtheme-CloseThemeClass)
+			enable_uxtheme_CloseThemeClass="$2"
+			;;
 		uxtheme-GTK_Theming)
 			enable_uxtheme_GTK_Theming="$2"
 			;;
@ -7076,6 +7080,21 @@ if test "$enable_user32_WM_MEASUREITEM" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset uxtheme-CloseThemeClass
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#41029] Protect CloseThemeData() from invalid input
+# |
+# | Modified files:
+# |   *	dlls/uxtheme/msstyles.c, dlls/uxtheme/msstyles.h, dlls/uxtheme/tests/system.c
+# |
+if test "$enable_uxtheme_CloseThemeClass" -eq 1; then
+	patch_apply uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch
+	(
+		echo '+    { "Dmitry Timoshkov", "uxtheme: Protect CloseThemeData() from invalid input.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset uxtheme-GTK_Theming
 # |
 # | This patchset has the following (direct or indirect) dependencies:
--- a/patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch
+++ b/patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch
@ -0,0 +1,115 @@
+From 56e15c62829a85dead5cd681ada5a69e9374d5e6 Mon Sep 17 00:00:00 2001
+From: Dmitry Timoshkov <dmitry@baikal.ru>
+Date: Fri, 18 Nov 2016 22:31:29 +0800
+Subject: uxtheme: Protect CloseThemeData() from invalid input.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Testcase by Michael Müller <michael@fds-team.de>.
+---
+ dlls/uxtheme/msstyles.c     | 22 ++++++++++++++++++++++
+ dlls/uxtheme/msstyles.h     |  3 ++-
+ dlls/uxtheme/tests/system.c |  4 ++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/uxtheme/msstyles.c b/dlls/uxtheme/msstyles.c
+index e62b95d..1cca4fc 100644
+--- a/dlls/uxtheme/msstyles.c
+++ b/dlls/uxtheme/msstyles.c
+@@ -35,6 +35,7 @@
+ #include "msstyles.h"
+ 
+ #include "wine/unicode.h"
+#include "wine/exception.h"
+ #include "wine/debug.h"
+ 
+ WINE_DEFAULT_DEBUG_CHANNEL(uxtheme);
+@@ -56,6 +57,8 @@ static const WCHAR szThemesIniResource[] = {
+     't','h','e','m','e','s','_','i','n','i','\0'
+ };
+ 
+#define THEME_CLASS_SIGNATURE (('T' << 24) | ('H' << 16) | ('E' << 8) | 'M')
+
+ static PTHEME_FILE tfActiveTheme;
+ 
+ /***********************************************************************/
+@@ -219,6 +222,7 @@ void MSSTYLES_CloseThemeFile(PTHEME_FILE tf)
+                         pcls->partstate = ps->next;
+                         HeapFree(GetProcessHeap(), 0, ps);
+                     }
+                    pcls->signature = 0;
+                     HeapFree(GetProcessHeap(), 0, pcls);
+                 }
+             }
+@@ -450,6 +454,7 @@ static PTHEME_CLASS MSSTYLES_AddClass(PTHEME_FILE tf, LPCWSTR pszAppName, LPCWST
+     if(cur) return cur;
+ 
+     cur = HeapAlloc(GetProcessHeap(), 0, sizeof(THEME_CLASS));
+    cur->signature = THEME_CLASS_SIGNATURE;
+     cur->hTheme = tf->hTheme;
+     lstrcpyW(cur->szAppName, pszAppName);
+     lstrcpyW(cur->szClassName, pszClassName);
+@@ -1043,6 +1048,23 @@ PTHEME_CLASS MSSTYLES_OpenThemeClass(LPCWSTR pszAppName, LPCWSTR pszClassList)
+  */
+ HRESULT MSSTYLES_CloseThemeClass(PTHEME_CLASS tc)
+ {
+    __TRY
+    {
+        if (tc->signature != THEME_CLASS_SIGNATURE)
+            tc = NULL;
+    }
+    __EXCEPT_PAGE_FAULT
+    {
+        tc = NULL;
+    }
+    __ENDTRY
+
+    if (!tc)
+    {
+        WARN("Invalid theme class handle\n");
+        return E_HANDLE;
+    }
+
+     MSSTYLES_CloseThemeFile (tc->tf);
+     return S_OK;
+ }
+diff --git a/dlls/uxtheme/msstyles.h b/dlls/uxtheme/msstyles.h
+index 0b7e1ab..ba10ac8 100644
+--- a/dlls/uxtheme/msstyles.h
+++ b/dlls/uxtheme/msstyles.h
+@@ -49,6 +49,7 @@ typedef struct _THEME_PARTSTATE {
+ struct _THEME_FILE;
+ 
+ typedef struct _THEME_CLASS {
+    DWORD signature;
+     HMODULE hTheme;
+     struct _THEME_FILE* tf;
+     WCHAR szAppName[MAX_THEME_APP_NAME];
+@@ -63,7 +64,7 @@ typedef struct _THEME_IMAGE {
+     WCHAR name[MAX_PATH];
+     HBITMAP image;
+     BOOL hasAlpha;
+-    
+
+     struct _THEME_IMAGE *next;
+ } THEME_IMAGE, *PTHEME_IMAGE;
+ 
+diff --git a/dlls/uxtheme/tests/system.c b/dlls/uxtheme/tests/system.c
+index d40679d..dba6cc8 100644
+--- a/dlls/uxtheme/tests/system.c
+++ b/dlls/uxtheme/tests/system.c
+@@ -181,6 +181,10 @@ static void test_OpenThemeData(void)
+             "Expected GLE() to be E_PROP_ID_UNSUPPORTED, got 0x%08x\n",
+             GetLastError());
+ 
+    /* Close invalid handle */
+    hRes = CloseThemeData((HTHEME)0xdeadbeef);
+    ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08x\n", hRes);
+
+     if (!bThemeActive)
+     {
+         SetLastError(0xdeadbeef);
+-- 
+2.9.0
+
--- a/patches/uxtheme-CloseThemeClass/definition
+++ b/patches/uxtheme-CloseThemeClass/definition
@ -0,0 +1 @@
+Fixes: [41029] Protect CloseThemeData() from invalid input
				`@ -0,0 +1 @@`
				`Fixes: [41029] Protect CloseThemeData() from invalid input`