Server crashes processing cursor shape when DXGI reports width or height of...

Brought to you by: anton19286, const_k, crazy-walrus

#1661 Server crashes processing cursor shape when DXGI reports width or height of 0 (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 6

Updated: 1 hour ago

Created: 2 days ago

Creator: Securin Disclose

Private: No

Integer underflow in WinCursorShapeUtils::trimTransparent()
(desktop/WinCursorShapeUtils.cpp:168):

for (UINT x = width - 1; x > trimmedWidth; --x)

width=0 -> width-1 wraps to 0xFFFFFFFF. Loop enters immediately,
isPixelTransparent() gets x=0xFFFFFFFF, computes offset ~4 GB -> crash.

Same for height: getCursorHeight() divides Height by 2 for monochrome;
Height=1 -> 0 -> height-1 wraps identically.

Extra bug: getCursorHeight() takes shapeInfo by non-const ref and does
return shapeInfo.Height /= 2;
permanently halving the caller's struct (line 256).

Attached PoC confirms: UINT x=c_uint32(0-1)=0xFFFFFFFF, loop condition
True, offset=4294967292 bytes into a 65536-byte buffer.
Crash PoC exits STATUS_ACCESS_VIOLATION (0xC0000005).

Fix: guard if (width==0 || height==0) return; at top of trimTransparent().
Version: 2.8.87.

Discussion

Securin Disclose - 1 hour ago

attached

F05_Integer_Underflow_in_Cursor_Shape_Trimmer__4GB_O.zip

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Server crashes processing cursor shape when DXGI reports width or height of...

Group

Searches

Help

#1661 Server crashes processing cursor shape when DXGI reports width or height of 0 (2.8.87)

Discussion