[ros-diffs] [tkreuzer] 58434: [WIN32K] - Fix a bug in EngLoadModuleEx - Fix a bug in co_IntLoadSysMenuTemplate - Fix / improve a number of annotations - Improve code in NtGdiExtGetObjectW - Check return value ...

Author: tkreuzer Date: Tue Mar 5 08:47:51 2013 New Revision: 58434 URL: http://svn.reactos.org/svn/reactos?rev=58434&view=rev Log: [WIN32K] - Fix a bug in EngLoadModuleEx - Fix a bug in co_IntLoadSysMenuTemplate - Fix / improve a number of annotations - Improve code in NtGdiExtGetObjectW - Check return value of ZwAllocateVirtualMemory and handle error in GdiPoolAllocate - Fix possible memory leaks in NtGdiPolyDraw - Check for NtGdiExtCreatePen == NULL instead of passing it to ProbeForRead in NtGdiExtCreatePen - Simplify code in NtGdiGetTextMetricsW - Fix a number of format specifiers Modified: trunk/reactos/include/psdk/ntgdi.h trunk/reactos/win32ss/gdi/eng/bitblt.c trunk/reactos/win32ss/gdi/eng/engevent.c trunk/reactos/win32ss/gdi/eng/float.c trunk/reactos/win32ss/gdi/eng/mapping.c trunk/reactos/win32ss/gdi/eng/surface.c trunk/reactos/win32ss/gdi/eng/xlateobj.c trunk/reactos/win32ss/gdi/eng/xlateobj.h trunk/reactos/win32ss/gdi/ntgdi/gdiobj.c trunk/reactos/win32ss/gdi/ntgdi/gdipool.c trunk/reactos/win32ss/gdi/ntgdi/line.c trunk/reactos/win32ss/gdi/ntgdi/pen.c trunk/reactos/win32ss/gdi/ntgdi/text.c trunk/reactos/win32ss/reactx/ntddraw/dxeng.c trunk/reactos/win32ss/user/ntuser/callback.c Modified: trunk/reactos/include/psdk/ntgdi.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/ntgdi.h?rev=5… ============================================================================== --- trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] (original) +++ trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -1169,6 +1169,7 @@ NtGdiGetColorSpaceforBitmap( _In_ HBITMAP hsurf); +_Success_(return != FALSE) W32KAPI BOOL APIENTRY @@ -2253,6 +2254,7 @@ _Out_ LPSIZE psize, _In_ UINT flOpts); +_Success_(return != FALSE) W32KAPI BOOL APIENTRY @@ -2372,6 +2374,7 @@ _In_ INT y, _Out_opt_ LPPOINT pptOut); +_Success_(return != 0) W32KAPI INT APIENTRY Modified: trunk/reactos/win32ss/gdi/eng/bitblt.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/bitblt.c?r… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/bitblt.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/bitblt.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -305,10 +305,10 @@ _In_opt_ CLIPOBJ *pco, _In_opt_ XLATEOBJ *pxlo, _In_ RECTL *prclTrg, - _When_(psoSrc, _In_) POINTL *pptlSrc, - _When_(psoMask, _In_) POINTL *pptlMask, + _In_opt_ POINTL *pptlSrc, + _In_opt_ POINTL *pptlMask, _In_opt_ BRUSHOBJ *pbo, - _When_(pbo, _In_) POINTL *pptlBrush, + _In_opt_ POINTL *pptlBrush, _In_ ROP4 rop4) { BYTE clippingType; Modified: trunk/reactos/win32ss/gdi/eng/engevent.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/engevent.c… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/engevent.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/engevent.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -15,10 +15,12 @@ /* PUBLIC FUNCTIONS ***********************************************************/ +_Must_inspect_result_ +_Success_(return != FALSE) BOOL APIENTRY EngCreateEvent( - _Deref_out_opt_ PEVENT* Event) + _Outptr_ PEVENT *ppEvent) { BOOLEAN Result = TRUE; PENG_EVENT EngEvent; @@ -39,7 +41,7 @@ FALSE); /* Pass pointer to our structure to the caller */ - *Event = EngEvent; + *ppEvent = EngEvent; DPRINT("EngCreateEvent() created %p\n", EngEvent); } else Modified: trunk/reactos/win32ss/gdi/eng/float.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/float.c?re… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/float.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/float.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -18,7 +18,7 @@ BOOL APIENTRY EngRestoreFloatingPointState( - _In_ VOID *Buffer) + PVOID Buffer) { NTSTATUS Status; @@ -34,7 +34,7 @@ ULONG APIENTRY EngSaveFloatingPointState( - VOID *Buffer, + PVOID Buffer, ULONG BufferSize) { KFLOATING_SAVE TempBuffer; Modified: trunk/reactos/win32ss/gdi/eng/mapping.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/mapping.c?… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/mapping.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/mapping.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -393,7 +393,7 @@ Status = MmCreateSection(&pFileView->pSection, SECTION_ALL_ACCESS, NULL, - cjSizeOfModule ? &liSize : NULL, + &liSize, fl & FVF_READONLY ? PAGE_EXECUTE_READ : PAGE_EXECUTE_READWRITE, SEC_COMMIT, hFile, Modified: trunk/reactos/win32ss/gdi/eng/surface.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/surface.c?… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/surface.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/surface.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -279,7 +279,7 @@ _In_ LONG lWidth, _In_ ULONG iFormat, _In_ ULONG fl, - _In_ PVOID pvBits) + _In_opt_ PVOID pvBits) { PSURFACE psurf; HBITMAP hbmp; @@ -479,7 +479,7 @@ BOOL APIENTRY EngDeleteSurface( - _In_ HSURF hsurf) + _In_ _Post_ptr_invalid_ HSURF hsurf) { PSURFACE psurf; @@ -537,7 +537,7 @@ VOID APIENTRY EngUnlockSurface( - _In_ SURFOBJ *pso) + _In_ _Post_ptr_invalid_ SURFOBJ *pso) { if (pso != NULL) { Modified: trunk/reactos/win32ss/gdi/eng/xlateobj.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/xlateobj.c… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/xlateobj.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/xlateobj.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -11,7 +11,7 @@ #define NDEBUG #include <debug.h> -_Always_(_Post_satisfies_(return==iColor)) +_Post_satisfies_(return==iColor) _Function_class_(FN_XLATE) ULONG FASTCALL @@ -38,7 +38,7 @@ /** iXlate functions **********************************************************/ -_Always_(_Post_satisfies_(return==iColor)) +_Post_satisfies_(return==iColor) _Function_class_(FN_XLATE) ULONG FASTCALL Modified: trunk/reactos/win32ss/gdi/eng/xlateobj.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/xlateobj.h… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/xlateobj.h [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/xlateobj.h [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -58,8 +58,8 @@ NTAPI EXLATEOBJ_vInitialize( _Out_ PEXLATEOBJ pexlo, - _In_ PPALETTE ppalSrc, - _In_ PPALETTE ppalDst, + _In_opt_ PPALETTE ppalSrc, + _In_opt_ PPALETTE ppalDst, _In_ COLORREF crSrcBackColor, _In_ COLORREF crDstBackColor, _In_ COLORREF crDstForeColor); Modified: trunk/reactos/win32ss/gdi/ntgdi/gdiobj.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/gdiobj.c… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/gdiobj.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/gdiobj.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -1066,11 +1066,10 @@ APIENTRY NtGdiExtGetObjectW( IN HANDLE hobj, - IN INT cbCount, + IN INT cjBufferSize, OUT LPVOID lpBuffer) { - INT iRetCount = 0; - INT cbCopyCount; + UINT iResult, cjMaxSize; union { BITMAP bitmap; @@ -1083,33 +1082,33 @@ } object; /* Normalize to the largest supported object size */ - cbCount = min((UINT)cbCount, sizeof(object)); + cjMaxSize = min((UINT)cjBufferSize, sizeof(object)); /* Now do the actual call */ - iRetCount = GreGetObject(hobj, cbCount, lpBuffer ? &object : NULL); - cbCopyCount = min((UINT)cbCount, (UINT)iRetCount); - - /* Make sure we have a buffer and a copy size */ - if ((cbCopyCount) && (lpBuffer)) + iResult = GreGetObject(hobj, cjMaxSize, lpBuffer ? &object : NULL); + + /* Check if we have a buffer and data */ + if ((lpBuffer != NULL) && (iResult != 0)) { /* Enter SEH for buffer transfer */ _SEH2_TRY { /* Probe the buffer and copy it */ - ProbeForWrite(lpBuffer, cbCopyCount, sizeof(WORD)); - RtlCopyMemory(lpBuffer, &object, cbCopyCount); + cjMaxSize = min(cjMaxSize, iResult); + ProbeForWrite(lpBuffer, cjMaxSize, sizeof(WORD)); + RtlCopyMemory(lpBuffer, &object, cjMaxSize); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { /* Clear the return value. * Do *NOT* set last error here! */ - iRetCount = 0; + iResult = 0; } _SEH2_END; } /* Return the count */ - return iRetCount; + return iResult; } W32KAPI Modified: trunk/reactos/win32ss/gdi/ntgdi/gdipool.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/gdipool.… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/gdipool.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/gdipool.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -127,6 +127,7 @@ PLIST_ENTRY ple; PVOID pvAlloc, pvBaseAddress; SIZE_T cjSize; + NTSTATUS status; /* Disable APCs and acquire the pool lock */ KeEnterCriticalRegion(); @@ -191,12 +192,17 @@ /* Commit the pages */ pvBaseAddress = PAGE_ALIGN(pvAlloc); cjSize = ADDRESS_AND_SIZE_TO_SPAN_PAGES(pvAlloc, pPool->cjAllocSize) * PAGE_SIZE; - ZwAllocateVirtualMemory(NtCurrentProcess(), - &pvBaseAddress, - 0, - &cjSize, - MEM_COMMIT, - PAGE_READWRITE); + status = ZwAllocateVirtualMemory(NtCurrentProcess(), + &pvBaseAddress, + 0, + &cjSize, + MEM_COMMIT, + PAGE_READWRITE); + if (!NT_SUCCESS(status)) + { + pvAlloc = NULL; + goto done; + } pSection->ulCommitBitmap |= ulPageBit; } Modified: trunk/reactos/win32ss/gdi/ntgdi/line.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/line.c?r… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/line.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/line.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -420,7 +420,8 @@ { PDC dc; PDC_ATTR pdcattr; - POINT *line_pts = NULL, *line_pts_old, *bzr_pts = NULL, bzr[4]; + POINT bzr[4]; + volatile PPOINT line_pts, line_pts_old, bzr_pts; INT num_pts, num_bzr_pts, space, space_old, size; ULONG i; BOOL result = FALSE; @@ -440,6 +441,10 @@ DC_UnlockDc(dc); return TRUE; } + + line_pts = NULL; + line_pts_old = NULL; + bzr_pts = NULL; _SEH2_TRY { @@ -475,6 +480,12 @@ space = cCount + 300; line_pts = ExAllocatePoolWithTag(PagedPool, space * sizeof(POINT), TAG_SHAPE); + if (line_pts == NULL) + { + result = FALSE; + _SEH2_LEAVE; + } + num_pts = 1; line_pts[0].x = pdcattr->ptlCurrent.x; @@ -510,10 +521,12 @@ if (!line_pts) _SEH2_LEAVE; RtlCopyMemory(line_pts, line_pts_old, space_old * sizeof(POINT)); ExFreePoolWithTag(line_pts_old, TAG_SHAPE); + line_pts_old = NULL; } RtlCopyMemory( &line_pts[num_pts], &bzr_pts[1], (num_bzr_pts - 1) * sizeof(POINT) ); num_pts += num_bzr_pts - 1; ExFreePoolWithTag(bzr_pts, TAG_BEZIER); + bzr_pts = NULL; } i += 2; break; @@ -523,14 +536,28 @@ if (num_pts >= 2) IntGdiPolyline( dc, line_pts, num_pts ); IntGdiMoveToEx( dc, line_pts[num_pts - 1].x, line_pts[num_pts - 1].y, NULL, TRUE ); + result = TRUE; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + SetLastNtError(_SEH2_GetExceptionCode()); + } + _SEH2_END; + + if (line_pts != NULL) + { ExFreePoolWithTag(line_pts, TAG_SHAPE); - result = TRUE; - } - _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) - { - SetLastNtError(_SEH2_GetExceptionCode()); - } - _SEH2_END; + } + + if ((line_pts_old != NULL) && (line_pts_old != line_pts)) + { + ExFreePoolWithTag(line_pts_old, TAG_SHAPE); + } + + if (bzr_pts != NULL) + { + ExFreePoolWithTag(bzr_pts, TAG_BEZIER); + } DC_UnlockDc(dc); Modified: trunk/reactos/win32ss/gdi/ntgdi/pen.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/pen.c?re… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/pen.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/pen.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -312,6 +312,12 @@ if (dwStyleCount > 0) { + if (pUnsafeStyle == NULL) + { + EngSetLastError(ERROR_INVALID_PARAMETER); + return 0; + } + pSafeStyle = ExAllocatePoolWithTag(NonPagedPool, dwStyleCount * sizeof(DWORD), GDITAG_PENSTYLE); Modified: trunk/reactos/win32ss/gdi/ntgdi/text.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/text.c?r… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/text.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/text.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -523,11 +523,9 @@ NtGdiGetTextMetricsW( IN HDC hDC, OUT TMW_INTERNAL * pUnsafeTmwi, - IN ULONG cj -) + IN ULONG cj) { TMW_INTERNAL Tmwi; - NTSTATUS Status = STATUS_SUCCESS; if ( cj <= sizeof(TMW_INTERNAL) ) { @@ -540,15 +538,11 @@ } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { - Status = _SEH2_GetExceptionCode(); + SetLastNtError(_SEH2_GetExceptionCode()); + return FALSE; } _SEH2_END - if (!NT_SUCCESS(Status)) - { - SetLastNtError(Status); - return FALSE; - } return TRUE; } } Modified: trunk/reactos/win32ss/reactx/ntddraw/dxeng.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/reactx/ntddraw/dxe… ============================================================================== --- trunk/reactos/win32ss/reactx/ntddraw/dxeng.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/reactx/ntddraw/dxeng.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -286,7 +286,7 @@ DPRINT1("ReactX Calling : DxEngGetHdevData DXEGSHDEVDATA : %ld\n", Type); #if 1 - DPRINT1("HDEV hDev %08lx\n", hDev); + DPRINT1("HDEV hDev %p\n", hDev); #endif switch ( Type ) @@ -454,7 +454,7 @@ PDC pDC = DC_LockDc(hDC); DWORD_PTR retVal = 0; - DPRINT1("ReactX Calling : DxEngGetDCState type : %ld\n", type); + DPRINT1("ReactX Calling : DxEngGetDCState type : %lu\n", type); if (pDC) { @@ -474,7 +474,7 @@ } default: /* If a valid type is not found, zero is returned */ - DPRINT1("Warning: did not find type %d\n",type); + DPRINT1("Warning: did not find type %lu\n", type); break; } DC_UnlockDc(pDC); @@ -531,7 +531,7 @@ DPRINT1("ReactX Calling : DxEngLockHdev \n"); - DPRINT1("hDev : 0x%08lx\n",hDev); + DPRINT1("hDev : 0x%p\n",hDev); Resource = (PERESOURCE)ppdev->hsemDevLock; Modified: trunk/reactos/win32ss/user/ntuser/callback.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/ntuser/callba… ============================================================================== --- trunk/reactos/win32ss/user/ntuser/callback.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/user/ntuser/callback.c [iso-8859-1] Tue Mar 5 08:47:51 2013 @@ -382,7 +382,7 @@ UserLeaveCo(); Status = KeUserModeCallback(USER32_CALLBACK_LOADSYSMENUTEMPLATE, - NULL, + &ResultPointer, 0, &ResultPointer, &ResultLength);