WINE vulnerable to WMF vulnerability

The vulnerability recently discovered in Windows, and patched just several days ago has been found to be exploitable on WINE based systems, this also includes Crossover Office package.

According to H D Moore, wine-20050930/dlls/gdi/driver.c includes:

/**************************************************************
Escape [GDI32.@]
*/
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data,
LPVOID out_data )
{
INT ret;
POINT *pt;

switch (escape)
{
case ABORTDOC:
return AbortDoc( hdc );
[ snip ]
case SETABORTPROC:
return SetAbortProc( hdc, (ABORTPROC)in_data );
[ snip ]

And wine-20050930/dlls/gdi/printdrv.c includes:

/**********************************************************
* call_abort_proc16
*/
static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code )
{
ABORTPROC16 proc16;
DC *dc = DC_GetDCPtr( hdc );

if (!dc) return FALSE;
proc16 = dc->pAbortProc16;
GDI_ReleaseObj( hdc );
if (proc16)
{
WORD args[2];
DWORD ret;

args[1] = HDC_16(hdc);
args[0] = code;
WOWCallback16Ex( (DWORD)proc16, WCB16_PASCAL, sizeof(args), args,
&ret );
return LOWORD(ret);
}
return TRUE;
}

/******************************************************
* SetAbortProc (GDI32.@)
*
*/
INT WINAPI SetAbortProc(HDC hdc, ABORTPROC abrtprc)
{
DC *dc = DC_GetDCPtr( hdc );

if (!dc) return FALSE;
dc->pAbortProc = abrtprc;
GDI_ReleaseObj( hdc );
return TRUE;
}

Finally wine-20050930/dlls/gdi/printdrv.c includes:

/******************************************************************
* EndPage [GDI32.@]
*
*/
INT WINAPI EndPage(HDC hdc)
{
ABORTPROC abort_proc;
INT ret = 0;
DC *dc = DC_GetDCPtr( hdc );
if(!dc) return SP_ERROR;

if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev );
abort_proc = dc->pAbortProc;
GDI_ReleaseObj( hdc );
if (abort_proc && !abort_proc( hdc, 0 ))
{
EndDoc( hdc );
ret = 0;
}
return ret;
}

Share