gerard patel wrote:
>
> At 09:17 AM 9/5/00 +0000, you wrote:
> >yet another case of GDI heap overflow:
> <snip>
> Arranged trace :
>
> Call kernel32.501: LocalAlloc(00000040,00000048) ret=1002caad fs=008f
> Ret kernel32.501: LocalAlloc() retval=40381930 ret=1002caad fs=008f
> Call gdi32.160: CreatePalette(40381930) ret=100257b3 fs=008f
> Ret gdi32.160: CreatePalette() retval=000015ae ret=100257b3 fs=008f
> Call kernel32.505: LocalFree(40381930) ret=1002cb1f fs=008f
> Ret kernel32.505: LocalFree() retval=00000000 ret=1002cb1f fs=008f
>
> This creates a palette, with a buffer created and freed immediately after.
>
> Call gdi32.139: CreateDCA(1003e1e0 "DISPLAY",00000000,00000000,00000000)
>ret=10025803 fs=008f
> Ret gdi32.139: CreateDCA() retval=000015c6 ret=10025803 fs=008f
>
> Creates a DC
>
> Call gdi32.429: SelectPalette(000015c6,000015ae,00000001) ret=10025825 fs=008f
> Ret gdi32.429: SelectPalette() retval=0000ffef ret=10025825 fs=008f
>
> Call gdi32.409: RealizePalette(000015c6) ret=1002582e fs=008f
> Ret gdi32.409: RealizePalette() retval=00000010 ret=1002582e fs=008f
>
> SelectPalette and RealizePalette don't create new handles.
>
> Call gdi32.144: CreateDIBitmap(000015c6,4036c6bc,00000000,00000000,00000000,00000000)
> Ret gdi32.144: CreateDIBitmap() retval=000015de ret=10025847 fs=008f
>
> Creates a bitmap
>
> Call gdi32.441:
>SetDIBits(000015c6,000015de,00000000,00000168,4036c758,4036c6bc,00000000)
> Ret gdi32.441: SetDIBits() retval=00000168 ret=10025877 fs=008f
>
> Initialize it
>
> Call kernel32.505: LocalFree(4036c758) ret=1002cb1f fs=008f
> Ret kernel32.505: LocalFree() retval=00000000 ret=1002cb1f fs=008f
>
> Frees the buffer used to set the bits of the bitmap
> Buffer was allocated before the beginning of your trace.
>
> Call gdi32.429: SelectPalette(000015c6,0000ffef,00000001) ret=10025891 fs=008f
> Ret gdi32.429: SelectPalette() retval=000015ae ret=10025891 fs=008f
>
> Restores the default palette of the DC, as said by
> Win32 programming guidelines.
> When you create a DC,there is a default object selected in it for
> each type of object.
> You select the object you want (here a palette), when you are
> finished with the dc, you select back the previous object (the
> ffef handle)
>
> Call gdi32.174: DeleteDC(000015c6) ret=10025898 fs=008f
> Another thing to watch for would be for the program deleting a system
> color brush or pen; the Corel version is protecting itself against this
> slight problem (gdiobj/objects.c), but their trick is not politically
> correct :-) So far the only case I have seen of a 'black and white' program
> was a nice program deleting a system color brush :-)
have you recently tried winmine; mine comes up in nice a nice 1 bit b&w scheme
(hard to tell when it's started, but the gdi lock overhaul may be a good start)
a+
--
---------------
Eric Pouech (http://perso.wanadoo.fr/eric.pouech/)
"The future will be better tomorrow", Vice President Dan Quayle
