[ros-diffs] [navaraf] 17016: Merge 16737 from trunk:

Merge 16737 from trunk: Fix some bugs in DIB mapping code to prevent instant system crashes. Modified: branches/ros-branch-0_2_7/reactos/subsys/win32k/objects/dib.c _____ Modified: branches/ros-branch-0_2_7/reactos/subsys/win32k/objects/dib.c --- branches/ros-branch-0_2_7/reactos/subsys/win32k/objects/dib.c 2005-08-03 17:14:26 UTC (rev 17015) +++ branches/ros-branch-0_2_7/reactos/subsys/win32k/objects/dib.c 2005-08-03 17:15:11 UTC (rev 17016) @@ -175,7 +175,7 @@ RECTL DestRect; XLATEOBJ *XlateObj; PPALGDI hDCPalette; - //RGBQUAD *lpRGB; + //RGBQUAD *lpRGB; HPALETTE DDB_Palette, DIB_Palette; ULONG DDB_Palette_Type, DIB_Palette_Type; INT DIBWidth; @@ -190,7 +190,7 @@ //if (ColorUse == DIB_PAL_COLORS) // lpRGB = DIB_MapPaletteColors(hDC, bmi); //else - // lpRGB = &bmi->bmiColors[0]; + // lpRGB = &bmi->bmiColors; DestSurf = &bitmap->SurfObj; @@ -810,6 +810,7 @@ UINT Entries = 0; BITMAP bm; SIZEL Size; + RGBQUAD *lpRGB; DPRINT("format (%ld,%ld), planes %d, bpp %d, size %ld, colors %ld (%s)\n", bi->biWidth, bi->biHeight, bi->biPlanes, bi->biBitCount, @@ -846,7 +847,9 @@ } if(usage == DIB_PAL_COLORS) - memcpy(bmi->bmiColors, (UINT *)DIB_MapPaletteColors(dc, bmi), sizeof(UINT *)); + lpRGB = DIB_MapPaletteColors(dc, bmi); + else + lpRGB = bmi->bmiColors; // Allocate Memory for DIB and fill structure if (bm.bmBits) @@ -869,9 +872,9 @@ else switch(bi->biBitCount) { case 16: - dib->dsBitfields[0] = (bi->biCompression == BI_BITFIELDS) ? *(DWORD *)bmi->bmiColors : 0x7c00; - dib->dsBitfields[1] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)bmi->bmiColors + 1) : 0x03e0; - dib->dsBitfields[2] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)bmi->bmiColors + 2) : 0x001f; break; + dib->dsBitfields[0] = (bi->biCompression == BI_BITFIELDS) ? *(DWORD *)lpRGB : 0x7c00; + dib->dsBitfields[1] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)lpRGB + 1) : 0x03e0; + dib->dsBitfields[2] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)lpRGB + 2) : 0x001f; break; case 24: dib->dsBitfields[0] = 0xff0000; @@ -880,9 +883,9 @@ break; case 32: - dib->dsBitfields[0] = (bi->biCompression == BI_BITFIELDS) ? *(DWORD *)bmi->bmiColors : 0xff0000; - dib->dsBitfields[1] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)bmi->bmiColors + 1) : 0x00ff00; - dib->dsBitfields[2] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)bmi->bmiColors + 2) : 0x0000ff; + dib->dsBitfields[0] = (bi->biCompression == BI_BITFIELDS) ? *(DWORD *)lpRGB : 0xff0000; + dib->dsBitfields[1] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)lpRGB + 1) : 0x00ff00; + dib->dsBitfields[2] = (bi->biCompression == BI_BITFIELDS) ? *((DWORD *)lpRGB + 2) : 0x0000ff; break; } dib->dshSection = section; @@ -901,12 +904,20 @@ bm.bmBits); if (! res) { + if (lpRGB != bmi->bmiColors) + { + ExFreePool(lpRGB); + } SetLastWin32Error(ERROR_NO_SYSTEM_RESOURCES); return NULL; } bmp = BITMAPOBJ_LockBitmap(res); if (NULL == bmp) { + if (lpRGB != bmi->bmiColors) + { + ExFreePool(lpRGB); + } SetLastWin32Error(ERROR_INVALID_HANDLE); NtGdiDeleteObject(bmp); return NULL; @@ -921,7 +932,7 @@ if(bi->biBitCount == 8) { Entries = 256; } if (Entries) - bmp->hDIBPalette = PALETTE_AllocPaletteIndexedRGB(Entries, bmi->bmiColors); + bmp->hDIBPalette = PALETTE_AllocPaletteIndexedRGB(Entries, lpRGB); else bmp->hDIBPalette = PALETTE_AllocPalette(PAL_BITFIELDS, 0, NULL, dib->dsBitfields[0], @@ -946,6 +957,11 @@ if (res) { BITMAPOBJ_FreeBitmap(res); res = 0; } } + if (lpRGB != bmi->bmiColors) + { + ExFreePool(lpRGB); + } + if (bmp) { BITMAPOBJ_UnlockBitmap(bmp); @@ -1097,6 +1113,12 @@ return NULL; } + if (palGDI->Mode != PAL_INDEXED) + { + PALETTE_UnlockPalette(palGDI); + return NULL; + } + nNumColors = 1 << lpbmi->bmiHeader.biBitCount; if (lpbmi->bmiHeader.biClrUsed) {