From 1a45c4289814e4b594118a91d0b5a8ca100886b8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Gardou?= Date: Wed, 1 Sep 2010 22:36:00 +0000 Subject: [PATCH] [WIN32K] - Do not acccess unsafe bits outside of PSEH svn path=/branches/reactos-yarotows/; revision=48685 --- subsystems/win32/win32k/objects/dibobj.c | 42 +++++++++++++++++------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/subsystems/win32/win32k/objects/dibobj.c b/subsystems/win32/win32k/objects/dibobj.c index c2015d36d4c..e4caf1d6276 100644 --- a/subsystems/win32/win32k/objects/dibobj.c +++ b/subsystems/win32/win32k/objects/dibobj.c @@ -1219,11 +1219,27 @@ NtGdiCreateDIBitmapInternal( IN HANDLE hcmXform) { NTSTATUS Status = STATUS_SUCCESS; + PBYTE safeBits = NULL; + HBITMAP hbmResult = NULL; + + if(pjInit && (fInit == CBM_INIT)) + { + safeBits = ExAllocatePoolWithTag(PagedPool, cjMaxBits, TAG_DIB); + if(!safeBits) + { + SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY); + return NULL; + } + } _SEH2_TRY { if(pbmi) ProbeForRead(pbmi, cjMaxInitInfo, 1); - if(pjInit && (fInit == CBM_INIT)) ProbeForRead(pjInit, cjMaxBits, 1); + if(pjInit && (fInit == CBM_INIT)) + { + ProbeForRead(pjInit, cjMaxBits, 1); + RtlCopyMemory(safeBits, pjInit, cjMaxBits); + } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1234,18 +1250,22 @@ NtGdiCreateDIBitmapInternal( if(!NT_SUCCESS(Status)) { SetLastNtError(Status); - return NULL; + goto cleanup; } - return GreCreateDIBitmapInternal(hDc, - cx, - cy, - fInit, - pjInit, - pbmi, - iUsage, - fl, - hcmXform); + hbmResult = GreCreateDIBitmapInternal(hDc, + cx, + cy, + fInit, + safeBits, + pbmi, + iUsage, + fl, + hcmXform); + +cleanup: + ExFreePoolWithTag(safeBits, TAG_DIB); + return hbmResult; } HBITMAP -- 2.17.1