From: Eberhard Beilharz Subject: [PATCH] imagelist: fix crash with large number of images Message-Id: <50773a42-0d53-96cf-c121-53444b9d162f@sil.org> Date: Tue, 11 Dec 2018 22:17:19 +0100 From 26ff5a74523c686cc5c626d507af13a57f156517 Mon Sep 17 00:00:00 2001 From: Eberhard Beilharz Date: Tue, 11 Dec 2018 21:00:23 +0100 Subject: [PATCH] imagelist: fix crash with large number of images This change fixes a crash that occurred when reading a imagelist with a large number of images. In the particular case we read a cMaxImage value of 1032, but allocated only 40 or so images. This lead to memory corruption in ImageList_Read. This change allows to run TntConnect (https://www.tntware.com/tntconnect). Signed-off-by: Eberhard Beilharz --- dlls/comctl32/imagelist.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/comctl32/imagelist.c b/dlls/comctl32/imagelist.c index a08d60752e..ffcec86543 100644 --- a/dlls/comctl32/imagelist.c +++ b/dlls/comctl32/imagelist.c @@ -2273,7 +2273,7 @@ HIMAGELIST WINAPI ImageList_Read(IStream *pstm) TRACE("cx %u, cy %u, flags 0x%04x, cCurImage %u, cMaxImage %u\n", ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cCurImage, ilHead.cMaxImage); - himl = ImageList_Create(ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cCurImage, ilHead.cMaxImage); + himl = ImageList_Create(ilHead.cx, ilHead.cy, ilHead.flags, ilHead.cMaxImage, ilHead.cMaxImage); if (!himl) return NULL; -- 2.19.2