From: Indrek Altpere Subject: winemenubuilder: fix crash caused by invalid icon entries and avoid future crashes by ignoring unhandled png entries (resend) Message-Id: Date: Thu, 28 Aug 2014 09:18:48 +0300 Forgot to link to the bug before, also added more detailed description. Fixes https://bugs.winehq.org/show_bug.cgi?id=19241 For the InnoSetup 5 crash (and likely other similar reported crashes), the issue seems to be GRPICONDIRENTRY with invalid information. The dwBytesInRes has a value that exceeds the Size value in IMAGE_RESOURCE_DATA_ENTRY, causing out-of-bounds memcpy and thus the crash. dwBytesRes value 0x40028, as mentioned by Focht and existing in the executable, seems to be the size of unpacked bitmap data (256x256x4 + 40 byte header) and not the actual size of compressed PNG bytes. Added check+clipping against the out-of-bounds read, which fixes the particular crash. As per MSDN blog, icon resources can contain raw PNG information instead of regular BITMAPINFO, but due to weird decisions, only way to differentiate between them is to check if the resource starts with PNG header bytes. http://blogs.msdn.com/b/oldnewthing/archive/2010/10/22/10079192.aspx Made the winemenubuilder ignore such entries for now (with fixme notices), since using PNG raw bytes as BITMAPINFO data is definitely invalid and is due to cause other issues/crashes when the best matching size icon happens to be PNG. A new bug should be opened for the missing PNG support. Regards, Indrek