BMP WMPlayer vulnerability

["Karma" <karma () designfolks com au>]

Anyone determined the offset where the heap alloc routine is located ? I diffed the two wmp.dll's and they are 
significantly changed, I think the code is very much optimised in this release, many routines are changed. I have been 
tracing the mallocs and GlobalAllocs without any luck. Hoping someone is having better luck than I.

Basically, it would be great to know if 0 is the only size that causes the error and how the error is handled. 

Where is the size field located in the BMP metadata ? 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/