From 2230fea0b6b47c6a3c2943d7b7f759912730dc40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
Date: Tue, 22 Apr 2014 19:47:47 +0200
Subject: [PATCH] win32: add more clipboard data checks to avoid crash

It may happen that the received clipboard data is empty, but
if it's of type image/bmp, gtk+ will crash:

gdk_property_change: 00030AD4 GDK_SELECTION image/bmp REPLACE 8*0 bits:
... delayed rendering
gdk_selection_send_notify_for_display: 00030AD4 CLIPBOARD image/bmp
GDK_SELECTION (no-op)
_gdk_win32_selection_convert_to_dib: 1252003C image/bmp

Program received signal SIGSEGV, Segmentation fault.
0x749a9f40 in msvcrt!memmove () from C:\Windows\syswow64\msvcrt.dll

Thread 1 (Thread 2248.0x1b34):
target=0xc07b) at gdkselection-win32.c:1292
at gdkevents-win32.c:3498
wparam=8, lparam=0) at gdkevents-win32.c:232
message=773, wparam=8, lparam=0)
    at gdkevents-win32.c:263
C:\Windows\syswow64\user32.dll
C:\Users\rugoosse\AppData\Local\virt-viewer\bin\libpangocairo-1.0-0.dll
wparam=0, lparam=-1687549457)
    at gdkevents-win32.c:248
C:\Users\rugoosse\AppData\Local\virt-viewer\bin\libpangocairo-1.0-0.dll

https://bugzilla.gnome.org/show_bug.cgi?id=728745
---
 gdk/win32/gdkproperty-win32.c  | 6 ++++++
 gdk/win32/gdkselection-win32.c | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/gdk/win32/gdkproperty-win32.c b/gdk/win32/gdkproperty-win32.c
index cc0bd25b7c..a2ef3bee45 100644
--- a/gdk/win32/gdkproperty-win32.c
+++ b/gdk/win32/gdkproperty-win32.c
@@ -186,6 +186,12 @@ _gdk_win32_window_change_property (GdkWindow    *window,
       format == 8 &&
       mode == GDK_PROP_MODE_REPLACE)
     {
+      if (type == _image_bmp && nelements < sizeof (BITMAPFILEHEADER))
+        {
+           g_warning ("Clipboard contains invalid bitmap data");
+           return;
+        }
+
       if (type == _utf8_string)
 	{
 	  if (!OpenClipboard (GDK_WINDOW_HWND (window)))
diff --git a/gdk/win32/gdkselection-win32.c b/gdk/win32/gdkselection-win32.c
index c2a0893645..8c54240782 100644
--- a/gdk/win32/gdkselection-win32.c
+++ b/gdk/win32/gdkselection-win32.c
@@ -1285,6 +1285,8 @@ _gdk_win32_selection_convert_to_dib (HGLOBAL  hdata,
 
   if (target == _image_bmp)
     {
+      g_return_val_if_fail (GlobalSize (hdata) >= sizeof (BITMAPFILEHEADER), NULL);
+
       /* No conversion is needed, just strip the BITMAPFILEHEADER */
       HGLOBAL hdatanew;
       SIZE_T size = GlobalSize (hdata) - sizeof (BITMAPFILEHEADER);