From 19e7aeae51972f234d2021b968efc15103d1ec57 Mon Sep 17 00:00:00 2001 From: Sebastian Lackner Date: Tue, 20 Dec 2016 23:39:26 +0100 Subject: [PATCH] Added patch to protect CloseThemeData from invalid input. --- patches/patchinstall.sh | 19 +++ ...ct-CloseThemeData-from-invalid-input.patch | 115 ++++++++++++++++++ patches/uxtheme-CloseThemeClass/definition | 1 + 3 files changed, 135 insertions(+) create mode 100644 patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch create mode 100644 patches/uxtheme-CloseThemeClass/definition diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 7b28f9ff..27e4b7dc 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -340,6 +340,7 @@ patch_enable_all () enable_user32_ScrollWindowEx="$1" enable_user32_WM_MEASUREITEM="$1" enable_user32_lpCreateParams="$1" + enable_uxtheme_CloseThemeClass="$1" enable_uxtheme_GTK_Theming="$1" enable_version_GetFileVersionInfoSizeExW="$1" enable_version_VerFindFileA="$1" @@ -1202,6 +1203,9 @@ patch_enable () user32-lpCreateParams) enable_user32_lpCreateParams="$2" ;; + uxtheme-CloseThemeClass) + enable_uxtheme_CloseThemeClass="$2" + ;; uxtheme-GTK_Theming) enable_uxtheme_GTK_Theming="$2" ;; @@ -7076,6 +7080,21 @@ if test "$enable_user32_WM_MEASUREITEM" -eq 1; then ) >> "$patchlist" fi +# Patchset uxtheme-CloseThemeClass +# | +# | This patchset fixes the following Wine bugs: +# | * [#41029] Protect CloseThemeData() from invalid input +# | +# | Modified files: +# | * dlls/uxtheme/msstyles.c, dlls/uxtheme/msstyles.h, dlls/uxtheme/tests/system.c +# | +if test "$enable_uxtheme_CloseThemeClass" -eq 1; then + patch_apply uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch + ( + echo '+ { "Dmitry Timoshkov", "uxtheme: Protect CloseThemeData() from invalid input.", 1 },'; + ) >> "$patchlist" +fi + # Patchset uxtheme-GTK_Theming # | # | This patchset has the following (direct or indirect) dependencies: diff --git a/patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch b/patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch new file mode 100644 index 00000000..52d1d5ec --- /dev/null +++ b/patches/uxtheme-CloseThemeClass/0001-uxtheme-Protect-CloseThemeData-from-invalid-input.patch @@ -0,0 +1,115 @@ +From 56e15c62829a85dead5cd681ada5a69e9374d5e6 Mon Sep 17 00:00:00 2001 +From: Dmitry Timoshkov +Date: Fri, 18 Nov 2016 22:31:29 +0800 +Subject: uxtheme: Protect CloseThemeData() from invalid input. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Testcase by Michael Müller . +--- + dlls/uxtheme/msstyles.c | 22 ++++++++++++++++++++++ + dlls/uxtheme/msstyles.h | 3 ++- + dlls/uxtheme/tests/system.c | 4 ++++ + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/dlls/uxtheme/msstyles.c b/dlls/uxtheme/msstyles.c +index e62b95d..1cca4fc 100644 +--- a/dlls/uxtheme/msstyles.c ++++ b/dlls/uxtheme/msstyles.c +@@ -35,6 +35,7 @@ + #include "msstyles.h" + + #include "wine/unicode.h" ++#include "wine/exception.h" + #include "wine/debug.h" + + WINE_DEFAULT_DEBUG_CHANNEL(uxtheme); +@@ -56,6 +57,8 @@ static const WCHAR szThemesIniResource[] = { + 't','h','e','m','e','s','_','i','n','i','\0' + }; + ++#define THEME_CLASS_SIGNATURE (('T' << 24) | ('H' << 16) | ('E' << 8) | 'M') ++ + static PTHEME_FILE tfActiveTheme; + + /***********************************************************************/ +@@ -219,6 +222,7 @@ void MSSTYLES_CloseThemeFile(PTHEME_FILE tf) + pcls->partstate = ps->next; + HeapFree(GetProcessHeap(), 0, ps); + } ++ pcls->signature = 0; + HeapFree(GetProcessHeap(), 0, pcls); + } + } +@@ -450,6 +454,7 @@ static PTHEME_CLASS MSSTYLES_AddClass(PTHEME_FILE tf, LPCWSTR pszAppName, LPCWST + if(cur) return cur; + + cur = HeapAlloc(GetProcessHeap(), 0, sizeof(THEME_CLASS)); ++ cur->signature = THEME_CLASS_SIGNATURE; + cur->hTheme = tf->hTheme; + lstrcpyW(cur->szAppName, pszAppName); + lstrcpyW(cur->szClassName, pszClassName); +@@ -1043,6 +1048,23 @@ PTHEME_CLASS MSSTYLES_OpenThemeClass(LPCWSTR pszAppName, LPCWSTR pszClassList) + */ + HRESULT MSSTYLES_CloseThemeClass(PTHEME_CLASS tc) + { ++ __TRY ++ { ++ if (tc->signature != THEME_CLASS_SIGNATURE) ++ tc = NULL; ++ } ++ __EXCEPT_PAGE_FAULT ++ { ++ tc = NULL; ++ } ++ __ENDTRY ++ ++ if (!tc) ++ { ++ WARN("Invalid theme class handle\n"); ++ return E_HANDLE; ++ } ++ + MSSTYLES_CloseThemeFile (tc->tf); + return S_OK; + } +diff --git a/dlls/uxtheme/msstyles.h b/dlls/uxtheme/msstyles.h +index 0b7e1ab..ba10ac8 100644 +--- a/dlls/uxtheme/msstyles.h ++++ b/dlls/uxtheme/msstyles.h +@@ -49,6 +49,7 @@ typedef struct _THEME_PARTSTATE { + struct _THEME_FILE; + + typedef struct _THEME_CLASS { ++ DWORD signature; + HMODULE hTheme; + struct _THEME_FILE* tf; + WCHAR szAppName[MAX_THEME_APP_NAME]; +@@ -63,7 +64,7 @@ typedef struct _THEME_IMAGE { + WCHAR name[MAX_PATH]; + HBITMAP image; + BOOL hasAlpha; +- ++ + struct _THEME_IMAGE *next; + } THEME_IMAGE, *PTHEME_IMAGE; + +diff --git a/dlls/uxtheme/tests/system.c b/dlls/uxtheme/tests/system.c +index d40679d..dba6cc8 100644 +--- a/dlls/uxtheme/tests/system.c ++++ b/dlls/uxtheme/tests/system.c +@@ -181,6 +181,10 @@ static void test_OpenThemeData(void) + "Expected GLE() to be E_PROP_ID_UNSUPPORTED, got 0x%08x\n", + GetLastError()); + ++ /* Close invalid handle */ ++ hRes = CloseThemeData((HTHEME)0xdeadbeef); ++ ok( hRes == E_HANDLE, "Expected E_HANDLE, got 0x%08x\n", hRes); ++ + if (!bThemeActive) + { + SetLastError(0xdeadbeef); +-- +2.9.0 + diff --git a/patches/uxtheme-CloseThemeClass/definition b/patches/uxtheme-CloseThemeClass/definition new file mode 100644 index 00000000..8cce185b --- /dev/null +++ b/patches/uxtheme-CloseThemeClass/definition @@ -0,0 +1 @@ +Fixes: [41029] Protect CloseThemeData() from invalid input