Hi,
requesting comments...
This patch reduces the attack vector on metafiles.
I originally wanted to filter only SETABORTPROC, but there are a lot of things that might be used to inject code.
Comments?
Ciao, Marcus
Changelog: Only allow whitelisted escape codes when playing metafiles.
Index: dlls/gdi/metafile.c =================================================================== RCS file: /home/wine/wine/dlls/gdi/metafile.c,v retrieving revision 1.10 diff -u -r1.10 metafile.c --- dlls/gdi/metafile.c 5 Nov 2005 10:45:02 -0000 1.10 +++ dlls/gdi/metafile.c 2 Jan 2006 20:52:42 -0000 @@ -1121,10 +1121,57 @@ GDIRealizePalette(hdc); break;
- case META_ESCAPE: + case META_ESCAPE: { + BOOL passdown = FALSE; + + switch (mr->rdParm[0]) { + case SETABORTPROC: + FIXME("NOTE: Suppressing SETABORTPROC in metafile, possible exploit.\n"); + break; + case STARTDOC: + case ABORTDOC: + case ENDDOC: + case NEWFRAME: + case NEXTBAND: + case SETCOPYCOUNT: + case SETCOLORTABLE: + case FLUSHOUTPUT: + case DRAFTMODE: + case SELECTPAPERSOURCE: + case SETLINECAP: + case SETLINEJOIN: + case SETMITERLIMIT: + case DRAWPATTERNRECT: + case ENABLEDUPLEX: + case EPSPRINTING: + case SETDIBSCALING: + case EXTTEXTOUT: + case ENABLEPAIRKERNING: + case SETCHARSET: + case SETKERNTRACK: + case SETALLJUSTVALUES: + case STRETCHBLT: + case BEGIN_PATH: + case CLIP_TO_PATH: + case END_PATH: + case SET_ARC_DIRECTION: + case SET_BACKGROUND_COLOR: + case SET_POLY_MODE: + case SET_SCREEN_ANGLE: + case SET_SPREAD: + case TRANSFORM_CTM: + case SET_CLIP_BOX: + case SET_BOUNDS: + case SET_MIRROR_MODE: + passdown = TRUE; + break; + default: + FIXME("Ignoring strange Escape code %d in Metafile.\n"); + break; + } Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL); break; - + } case META_EXTTEXTOUT: MF_Play_MetaExtTextOut( hdc, mr ); break;