| commit | 2ae7ecb9367a1a5a407c293a8e2529eb4db813f4 | |
| author | Dmitry Timoshkov <dmitry@baikal.ru> | |
| Fri, 12 Aug 2022 03:32:54 +0000 (12 11:32 +0800) | ||
| committer | Alexandre Julliard <julliard@winehq.org> | |
| Tue, 8 Nov 2022 19:07:51 +0000 (8 20:07 +0100) | ||
| tree | 0b1dfd10ab2d31ecb97419a1841ed918c0fd4259 | treesnapshot (tar.gz zip) |
| parent | ae3c9e327224e15908acde673b17d650d7a4160d | commitdiff |
uxtheme: Protect CloseThemeData() from invalid input.
With test case by Michael Müller <michael@fds-team.de>.
Zhiyi Zhang's comments:
Some applications close the same HTHEME handle more than once, causing use-after-free. HTHEME is a
handle rather than a pointer. Some testing shows that it's a handle starting from 0x10000 or 0x20000.
Each new handle increments from the first handle and closing handles decrements it. I prefer not to
implement this handle to data map for now because it will likely hurt performance.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=29974
With test case by Michael Müller <michael@fds-team.de>.
Zhiyi Zhang's comments:
Some applications close the same HTHEME handle more than once, causing use-after-free. HTHEME is a
handle rather than a pointer. Some testing shows that it's a handle starting from 0x10000 or 0x20000.
Each new handle increments from the first handle and closing handles decrements it. I prefer not to
implement this handle to data map for now because it will likely hurt performance.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=29974
| dlls/uxtheme/msstyles.c | diffblobblamehistory | |
| dlls/uxtheme/msstyles.h | diffblobblamehistory | |
| dlls/uxtheme/tests/system.c | diffblobblamehistory |