[ros-diffs] [jmorlan] 34358: IntGdiCreateBitmap: Tighten up parameter checks, preventing overflows; don't multiply by Planes twice in calculating WidthBytes. IntCreateCompatibleBitmap: Remove 65535px maximum (Windows has no such limit); return the stock 1x1 bitmap instead of creating a new one. BITMAPOBJ_GetRealBitsPixel: Change parameter type to UINT; remove 2bpp return (2bpp bitmaps are not actually supported)

Author: jmorlan Date: Mon Jul 7 11:03:14 2008 New Revision: 34358 URL: http://svn.reactos.org/svn/reactos?rev=34358&view=rev Log: IntGdiCreateBitmap: Tighten up parameter checks, preventing overflows; don't multiply by Planes twice in calculating WidthBytes. IntCreateCompatibleBitmap: Remove 65535px maximum (Windows has no such limit); return the stock 1x1 bitmap instead of creating a new one. BITMAPOBJ_GetRealBitsPixel: Change parameter type to UINT; remove 2bpp return (2bpp bitmaps are not actually supported) Modified: trunk/reactos/subsystems/win32/win32k/include/bitmaps.h trunk/reactos/subsystems/win32/win32k/objects/bitmaps.c Modified: trunk/reactos/subsystems/win32/win32k/include/bitmaps.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/in… ============================================================================== --- trunk/reactos/subsystems/win32/win32k/include/bitmaps.h [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/include/bitmaps.h [iso-8859-1] Mon Jul 7 11:03:14 2008 @@ -53,7 +53,7 @@ void INTERNAL_CALL BITMAPOBJ_CleanupBitsLock(BITMAPOBJ *pBMObj); INT FASTCALL BITMAPOBJ_GetWidthBytes (INT bmWidth, INT bpp); -INT FASTCALL BITMAPOBJ_GetRealBitsPixel(INT nBitsPixel); +UINT FASTCALL BITMAPOBJ_GetRealBitsPixel(UINT nBitsPixel); HBITMAP FASTCALL BITMAPOBJ_CopyBitmap (HBITMAP hBitmap); INT FASTCALL DIB_GetDIBWidthBytes (INT width, INT depth); int NTAPI DIB_GetDIBImageBytes (INT width, INT height, INT depth); Modified: trunk/reactos/subsystems/win32/win32k/objects/bitmaps.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ob… ============================================================================== --- trunk/reactos/subsystems/win32/win32k/objects/bitmaps.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/objects/bitmaps.c [iso-8859-1] Mon Jul 7 11:03:14 2008 @@ -47,17 +47,25 @@ BitsPixel = BITMAPOBJ_GetRealBitsPixel(BitsPixel * Planes); /* Check parameters */ - if (BitsPixel == 0 || Width < 0) + if (BitsPixel == 0 || Width <= 0 || Width >= 0x8000000 || Height == 0) { DPRINT1("Width = %d, Height = %d BitsPixel = %d\n", Width, Height, BitsPixel); SetLastWin32Error(ERROR_INVALID_PARAMETER); return 0; } - WidthBytes = BITMAPOBJ_GetWidthBytes(Width, Planes * BitsPixel); - - Size.cx = abs(Width); + WidthBytes = BITMAPOBJ_GetWidthBytes(Width, BitsPixel); + + Size.cx = Width; Size.cy = abs(Height); + + /* Make sure that cjBits will not overflow */ + if ((ULONGLONG)WidthBytes * Size.cy >= 0x100000000ULL) + { + DPRINT1("Width = %d, Height = %d BitsPixel = %d\n", Width, Height, BitsPixel); + SetLastWin32Error(ERROR_INVALID_PARAMETER); + return 0; + } /* Create the bitmap object. */ hBitmap = IntCreateBitmap(Size, WidthBytes, @@ -166,18 +174,10 @@ { HBITMAP Bmp; - Bmp = NULL; - - if ((Width >= 0x10000) || (Height >= 0x10000)) - { - DPRINT1("got bad width %d or height %d, please look for reason\n", Width, Height); - return NULL; - } - /* MS doc says if width or height is 0, return 1-by-1 pixel, monochrome bitmap */ if (0 == Width || 0 == Height) { - Bmp = IntGdiCreateBitmap (1, 1, 1, 1, NULL); + Bmp = NtGdiGetStockObject(DEFAULT_BITMAP); } else { @@ -602,15 +602,11 @@ /* Internal Functions */ -INT FASTCALL -BITMAPOBJ_GetRealBitsPixel(INT nBitsPixel) -{ - if (nBitsPixel < 0) - return 0; +UINT FASTCALL +BITMAPOBJ_GetRealBitsPixel(UINT nBitsPixel) +{ if (nBitsPixel <= 1) return 1; - if (nBitsPixel <= 2) - return 2; if (nBitsPixel <= 4) return 4; if (nBitsPixel <= 8)