Dailydave mailing list archives
Re: WMF goes away :<
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 5 Jan 2006 15:14:14 -0600
On Thursday 05 January 2006 14:42, Dave Aitel wrote:
MS released a patch for the WMF bug today.
[ snip ]
Ooh, 2 hours left. Breathless anticipation and muddling around in BinNavi trying to not use the Escape function. Sending raw postscript to the printer is neat, but I want something nicer. -dave
Microsoft patched, but it is still exploitable in Wine :-) --- wine-20050930/dlls/gdi/driver.c --- /************************************************************** Escape [GDI32.@] */ INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data, LPVOID out_data ) { INT ret; POINT *pt; switch (escape) { case ABORTDOC: return AbortDoc( hdc ); [ snip ] case SETABORTPROC: return SetAbortProc( hdc, (ABORTPROC)in_data ); [ snip ] --- wine-20050930/dlls/gdi/printdrv.c --- /********************************************************** * call_abort_proc16 */ static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code ) { ABORTPROC16 proc16; DC *dc = DC_GetDCPtr( hdc ); if (!dc) return FALSE; proc16 = dc->pAbortProc16; GDI_ReleaseObj( hdc ); if (proc16) { WORD args[2]; DWORD ret; args[1] = HDC_16(hdc); args[0] = code; WOWCallback16Ex( (DWORD)proc16, WCB16_PASCAL, sizeof(args), args, &ret ); return LOWORD(ret); } return TRUE; } /****************************************************** * SetAbortProc (GDI32.@) * */ INT WINAPI SetAbortProc(HDC hdc, ABORTPROC abrtprc) { DC *dc = DC_GetDCPtr( hdc ); if (!dc) return FALSE; dc->pAbortProc = abrtprc; GDI_ReleaseObj( hdc ); return TRUE; } --- wine-20050930/dlls/gdi/printdrv.c --- /****************************************************************** * EndPage [GDI32.@] * */ INT WINAPI EndPage(HDC hdc) { ABORTPROC abort_proc; INT ret = 0; DC *dc = DC_GetDCPtr( hdc ); if(!dc) return SP_ERROR; if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev ); abort_proc = dc->pAbortProc; GDI_ReleaseObj( hdc ); if (abort_proc && !abort_proc( hdc, 0 )) { EndDoc( hdc ); ret = 0; } return ret; } -HD
Current thread:
- WMF goes away :< Dave Aitel (Jan 05)
- Re: WMF goes away :< Alexander Sotirov (Jan 05)
- Re: WMF goes away :< H D Moore (Jan 05)