From: Alistair Leslie-Hughes <leslie_alistair@hotmail.com>
Subject: [v6 PATCH] comctl32/tooltip: Protect TTM_ADDTOOLW from invalid text pointers
Message-Id: <PS1PR02MB1402B4296853712F6D61FCBF936F0@PS1PR02MB1402.apcprd02.prod.outlook.com>
Date: Fri, 22 Apr 2016 07:55:17 +0000

Fixes https://bugs.winehq.org/show_bug.cgi?id=10347

Signed-off-by: Alistair Leslie-Hughes <leslie_alistair@hotmail.com>
---
 dlls/comctl32/tests/tooltips.c | 39 +++++++++++++++++++++++++++++++++++++++
 dlls/comctl32/tooltips.c       |  5 ++++-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/dlls/comctl32/tests/tooltips.c b/dlls/comctl32/tests/tooltips.c
index 3382fce..db3d3c4 100644
--- a/dlls/comctl32/tests/tooltips.c
+++ b/dlls/comctl32/tests/tooltips.c
@@ -446,6 +446,45 @@ static void test_gettext(void)
     r = SendMessageW(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
     ok(!r, "Adding the tool to the tooltip succeeded!\n");
 
+    /* lpszText with an invalid address */
+    toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+    toolinfoW.hwnd = notify;
+    toolinfoW.hinst = GetModuleHandleA(NULL);
+    toolinfoW.uFlags = 0;
+    toolinfoW.uId = 0;
+    toolinfoW.lpszText = (LPWSTR)0xdeadbeef;
+    toolinfoW.lParam = 0;
+    GetClientRect(hwnd, &toolinfoW.rect);
+    r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+    ok(!r, "Adding the tool to the tooltip succeeded!\n");
+
+    /* lpszText with an callback address */
+    toolinfoW.cbSize = sizeof(TTTOOLINFOW);
+    toolinfoW.hwnd = notify;
+    toolinfoW.hinst = GetModuleHandleA(NULL);
+    toolinfoW.uFlags = 0;
+    toolinfoW.uId = 0;
+    toolinfoW.lpszText = LPSTR_TEXTCALLBACKW;
+    toolinfoW.lParam = 0;
+    GetClientRect(hwnd, &toolinfoW.rect);
+    r = SendMessageA(hwnd, TTM_ADDTOOLW, 0, (LPARAM)&toolinfoW);
+    todo_wine ok(!r, "Adding the tool to the tooltip succeeded!\n");
+
+    /* lpszText with an invalid address. Crashes using TTTOOLINFOA message */
+    if(0)
+    {
+        toolinfoA.cbSize = sizeof(TTTOOLINFOA);
+        toolinfoA.hwnd = notify;
+        toolinfoA.hinst = GetModuleHandleA(NULL);
+        toolinfoA.uFlags = 0;
+        toolinfoA.uId = 0;
+        toolinfoA.lpszText = (LPSTR)0xdeadbeef;
+        toolinfoA.lParam = 0;
+        GetClientRect(hwnd, &toolinfoA.rect);
+        r = SendMessageA(hwnd, TTM_ADDTOOLA, 0, (LPARAM)&toolinfoA);
+        ok(!r, "Adding the tool to the tooltip succeeded!\n");
+    }
+
     if (0)  /* crashes on NT4 */
     {
         toolinfoW.hwnd = NULL;
diff --git a/dlls/comctl32/tooltips.c b/dlls/comctl32/tooltips.c
index 8bf6919..804e9ed 100644
--- a/dlls/comctl32/tooltips.c
+++ b/dlls/comctl32/tooltips.c
@@ -1038,7 +1038,10 @@ TOOLTIPS_AddToolT (TOOLTIPS_INFO *infoPtr, const TTTOOLINFOW *ti, BOOL isW)
 	   infoPtr->hwndSelf, ti->hwnd, ti->uId,
 	   (ti->uFlags & TTF_IDISHWND) ? " TTF_IDISHWND" : "");
 
-    if (ti->cbSize >= TTTOOLINFOW_V2_SIZE && !ti->lpszText && isW)
+    if (ti->cbSize >= TTTOOLINFOW_V2_SIZE && isW
+         && !TOOLTIPS_IsCallbackString(ti->lpszText, isW)
+         && !(ti->lpszText && IS_INTRESOURCE(ti->lpszText))
+         && IsBadStringPtrW(ti->lpszText, sizeof(WCHAR)) )
         return FALSE;
 
     if (infoPtr->uNumTools == 0) {

-- 
1.9.1