Re: [ros-dev] [ros-diffs] [tkreuzer] 70464: [WIN32K] Properly check the bitmap size in IntSetDIBits, taking into account that it might be set to 0, then we have to calculate it ourselves. Fixes a crash when invalid data is ...
1 Jan
2016
1 Jan
'16
3:57 p.m.
Timo, this is causing testbot to freak out since it now crashes during
an apitest. Could you look into it?
Thanks.
On 2015-12-29 21:28, tkreuzer(a)svn.reactos.org wrote:
Author: tkreuzer
Date: Tue Dec 29 20:28:23 2015
New Revision: 70464
URL: http://svn.reactos.org/svn/reactos?rev=70464&view=rev
Log:
[WIN32K]
Properly check the bitmap size in IntSetDIBits, taking into account that it might be set
to 0, then we have to calculate it ourselves. Fixes a crash when invalid data is passed to
NtGdiCreateDIBitmapInternal.
[GDI32]
Convert COREINFOHEADER to BITMAPINFOHEADER before passing it to
NtGdiCreateDIBitmapInternal, which doesn't support it.
CORE-10583 #resolve
Modified:
trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c
trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
Modified: trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/gdi32/objects/…
==============================================================================
--- trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c [iso-8859-1] Tue Dec 29 20:28:23
2015
@@ -408,23 +408,30 @@
// PDC_ATTR pDc_Attr;
UINT InfoSize = 0;
UINT cjBmpScanSize = 0;
- HBITMAP hBmp;
+ HBITMAP hBmp = NULL;
NTSTATUS Status = STATUS_SUCCESS;
+ PBITMAPINFO pbmiConverted;
+ UINT cjInfoSize;
+
+ /* Convert the BITMAPINFO if it is a COREINFO */
+ pbmiConverted = ConvertBitmapInfo(Data, ColorUse, &cjInfoSize, FALSE);
/* Check for CBM_CREATDIB */
if (Init & CBM_CREATDIB)
{
/* CBM_CREATDIB needs Data. */
- if (!Data)
- {
- return 0;
+ if (pbmiConverted == NULL)
+ {
+ DPRINT1("CBM_CREATDIB needs a BITMAINFO!\n");
+ goto Exit;
}
/* It only works with PAL or RGB */
if (ColorUse > DIB_PAL_COLORS)
{
+ DPRINT1("Invalid ColorUse: %lu\n", ColorUse);
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return 0;
+ goto Exit;
}
/* Use the header from the data */
@@ -434,38 +441,48 @@
/* Header is required */
if (!Header)
{
+ DPRINT1("Header is NULL\n");
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return 0;
+ goto Exit;
}
/* Get the bitmap format and dimensions */
if (DIB_GetBitmapInfo(Header, &width, &height, &planes, &bpp,
&compr, &dibsize) == -1)
{
+ DPRINT1("DIB_GetBitmapInfo failed!\n");
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return NULL;
+ goto Exit;
}
/* Check if the Compr is incompatible */
if ((compr == BI_JPEG) || (compr == BI_PNG) || (compr == BI_BITFIELDS))
- return 0;
+ {
+ DPRINT1("invalid compr: %lu!\n", compr);
+ goto Exit;
+ }
/* Only DIB_RGB_COLORS (0), DIB_PAL_COLORS (1) and 2 are valid. */
if (ColorUse > DIB_PAL_COLORS + 1)
{
+ DPRINT1("invalid compr: %lu!\n", compr);
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return 0;
+ goto Exit;
}
/* If some Bits are given, only DIB_PAL_COLORS and DIB_RGB_COLORS are valid */
if (Bits && (ColorUse > DIB_PAL_COLORS))
{
+ DPRINT1("Invalid ColorUse: %lu\n", ColorUse);
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return 0;
+ goto Exit;
}
/* Negative width is not allowed */
if (width < 0)
- return 0;
+ {
+ DPRINT1("Negative width: %li\n", width);
+ goto Exit;
+ }
/* Top-down DIBs have a negative height. */
height = abs(height);
@@ -473,13 +490,13 @@
// For Icm support.
// GdiGetHandleUserData(hdc, GDI_OBJECT_TYPE_DC, (PVOID)&pDc_Attr))
- if (Data)
+ if (pbmiConverted)
{
_SEH2_TRY
{
- cjBmpScanSize = GdiGetBitmapBitsSize((BITMAPINFO *) Data);
- CalculateColorTableSize(&Data->bmiHeader, &ColorUse,
&InfoSize);
- InfoSize += Data->bmiHeader.biSize;
+ cjBmpScanSize = GdiGetBitmapBitsSize(pbmiConverted);
+ CalculateColorTableSize(&pbmiConverted->bmiHeader, &ColorUse,
&InfoSize);
+ InfoSize += pbmiConverted->bmiHeader.biSize;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
@@ -490,8 +507,9 @@
if (!NT_SUCCESS(Status))
{
+ DPRINT1("Got an exception!\n");
GdiSetLastError(ERROR_INVALID_PARAMETER);
- return NULL;
+ goto Exit;
}
DPRINT("pBMI %p, Size bpp %u, dibsize %d, Conv %u, BSS %u\n", Data, bpp,
dibsize, InfoSize,
@@ -501,9 +519,18 @@
hBmp = GetStockObject(DEFAULT_BITMAP);
else
{
- hBmp = NtGdiCreateDIBitmapInternal(hDC, width, height, Init, (LPBYTE) Bits,
- (LPBITMAPINFO) Data, ColorUse, InfoSize, cjBmpScanSize, 0, 0);
- }
+ hBmp = NtGdiCreateDIBitmapInternal(hDC, width, height, Init, (LPBYTE)Bits,
+ (LPBITMAPINFO)pbmiConverted, ColorUse, InfoSize, cjBmpScanSize, 0, 0);
+ }
+
+Exit:
+
+ /* Cleanup converted BITMAPINFO */
+ if ((pbmiConverted != NULL) && (pbmiConverted != Data))
+ {
+ RtlFreeHeap(RtlGetProcessHeap(), 0, pbmiConverted);
+ }
+
return hBmp;
}
Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dibobj.c…
==============================================================================
--- trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] Tue Dec 29 20:28:23 2015
@@ -259,11 +259,37 @@
POINTL ptSrc;
EXLATEOBJ exlo;
PPALETTE ppalDIB = 0;
+ ULONG cjSizeImage;
if (!bmi) return 0;
- if (bmi->bmiHeader.biSizeImage > cjMaxBits)
- {
+ /* Check if the header provided an image size */
+ if (bmi->bmiHeader.biSizeImage != 0)
+ {
+ /* Use the given size */
+ cjSizeImage = bmi->bmiHeader.biSizeImage;
+ }
+ /* Otherwise check for uncompressed formats */
+ else if ((bmi->bmiHeader.biCompression == BI_RGB) ||
+ (bmi->bmiHeader.biCompression == BI_BITFIELDS))
+ {
+ /* Calculate the image size */
+ cjSizeImage = DIB_GetDIBImageBytes(bmi->bmiHeader.biWidth,
+ ScanLines,
+ bmi->bmiHeader.biBitCount);
+ }
+ else
+ {
+ /* Compressed format without a size. This is invalid. */
+ DPRINT1("Compressed format without a size!");
+ return 0;
+ }
+
+ /* Check if the size that we have is ok */
+ if (cjSizeImage > cjMaxBits)
+ {
+ DPRINT1("Size too large! cjSizeImage = %lu, cjMaxBits = %lu\n",
+ cjSizeImage, cjMaxBits);
return 0;
}
@@ -273,7 +299,7 @@
BitmapFormat(bmi->bmiHeader.biBitCount,
bmi->bmiHeader.biCompression),
bmi->bmiHeader.biHeight < 0 ? BMF_TOPDOWN :
0,
- bmi->bmiHeader.biSizeImage,
+ cjSizeImage,
(PVOID)Bits,
0);
if (!SourceBitmap)
@@ -314,6 +340,8 @@
rcDst.right = psurfDst->SurfObj.sizlBitmap.cx;
ptSrc.x = 0;
ptSrc.y = 0;
+
+ NT_ASSERT(psurfSrc->SurfObj.cjBits <= cjMaxBits);
result = IntEngCopyBits(&psurfDst->SurfObj,
&psurfSrc->SurfObj,
@@ -1366,7 +1394,11 @@
/* Undocumented flag which creates a DDB of the format specified by the
bitmap info. */
handle = IntCreateCompatibleBitmap(Dc, width, height, planes, bpp);
if (!handle)
+ {
+ DPRINT1("IntCreateCompatibleBitmap() failed!\n");
return NULL;
+ }
+
/* The palette must also match the given data */
Surface = SURFACE_ShareLockSurface(handle);
ASSERT(Surface);
@@ -1430,6 +1462,7 @@
safeBits = ExAllocatePoolWithTag(PagedPool, cjMaxBits, TAG_DIB);
if(!safeBits)
{
+ DPRINT1("Failed to allocate %lu bytes\n", cjMaxBits);
EngSetLastError(ERROR_NOT_ENOUGH_MEMORY);
return NULL;
}
@@ -1452,6 +1485,7 @@
if(!NT_SUCCESS(Status))
{
+ DPRINT1("Got an exception! pjInit = %p\n", pjInit);
SetLastNtError(Status);
goto cleanup;
}
@@ -1498,6 +1532,7 @@
hdcDest = NtGdiCreateCompatibleDC(0);
if(!hdcDest)
{
+ DPRINT1("NtGdiCreateCompatibleDC failed\n");
return NULL;
}
}
@@ -1509,6 +1544,7 @@
Dc = DC_LockDc(hdcDest);
if (!Dc)
{
+ DPRINT1("Failed to lock hdcDest %p\n", hdcDest);
EngSetLastError(ERROR_INVALID_HANDLE);
return NULL;
}
3181
days inactive
3181
days old
0 comments
1 participants
participants (1)
-
Thomas Faber