Modified: trunk/reactos/subsys/win32k/objects/brush.c
Modified: trunk/reactos/subsys/win32k/objects/cliprgn.c
Modified: trunk/reactos/subsys/win32k/objects/coord.c
Modified: trunk/reactos/subsys/win32k/objects/dc.c
Modified: trunk/reactos/subsys/win32k/objects/fillshap.c
Modified: trunk/reactos/subsys/win32k/objects/line.c
Modified: trunk/reactos/subsys/win32k/objects/pen.c
Modified: trunk/reactos/subsys/win32k/objects/print.c
Modified: trunk/reactos/subsys/win32k/objects/rect.c
Modified: trunk/reactos/subsys/win32k/objects/region.c
--- trunk/reactos/subsys/win32k/objects/brush.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/brush.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -563,7 +563,7 @@
CONST VOID *PackedDIB)
{
BITMAPINFO *SafeBitmapInfoAndData;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
HBRUSH hBrush;
SafeBitmapInfoAndData = EngAllocMem(0, BitmapInfoSize, 0);
@@ -573,10 +573,24 @@
return NULL;
}
- Status = MmCopyFromCaller(SafeBitmapInfoAndData, BitmapInfoAndData,
- BitmapInfoSize);
+ _SEH_TRY
+ {
+ ProbeForRead(BitmapInfoAndData,
+ BitmapInfoSize,
+ 1);
+ RtlCopyMemory(SafeBitmapInfoAndData,
+ BitmapInfoAndData,
+ BitmapInfoSize);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if (!NT_SUCCESS(Status))
{
+ EngFreeMem(SafeBitmapInfoAndData);
SetLastNtError(Status);
return 0;
}
@@ -632,11 +646,23 @@
if (Point != NULL)
{
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
POINT SafePoint;
SafePoint.x = dc->w.brushOrgX;
SafePoint.y = dc->w.brushOrgY;
- Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
+ _SEH_TRY
+ {
+ ProbeForWrite(Point,
+ sizeof(POINT),
+ 1);
+ *Point = SafePoint;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -661,7 +687,7 @@
ULONG Reserved)
{
PPATRECT rb = NULL;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
if (cRects > 0)
@@ -672,7 +698,21 @@
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return FALSE;
}
- Status = MmCopyFromCaller(rb, pRects, sizeof(PATRECT) * cRects);
+ _SEH_TRY
+ {
+ ProbeForRead(pRects,
+ cRects * sizeof(PATRECT),
+ 1);
+ RtlCopyMemory(rb,
+ pRects,
+ cRects * sizeof(PATRECT));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if (!NT_SUCCESS(Status))
{
ExFreePool(rb);
--- trunk/reactos/subsys/win32k/objects/cliprgn.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/cliprgn.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -192,7 +192,19 @@
Ret = IntGdiGetClipBox(hDC, &Saferect);
- Status = MmCopyToCaller(rc, &Saferect, sizeof(RECT));
+ _SEH_TRY
+ {
+ ProbeForWrite(rc,
+ sizeof(RECT),
+ 1);
+ *rc = Saferect;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
@@ -341,7 +353,7 @@
BOOL STDCALL NtGdiRectVisible(HDC hDC,
CONST PRECT UnsafeRect)
{
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
PROSRGNDATA Rgn;
PDC dc = DC_LockDc(hDC);
BOOL Result = FALSE;
@@ -353,10 +365,23 @@
return FALSE;
}
- Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
+ _SEH_TRY
+ {
+ ProbeForRead(UnsafeRect,
+ sizeof(RECT),
+ 1);
+ Rect = *UnsafeRect;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
+ SetLastNtError(Status);
return FALSE;
}
--- trunk/reactos/subsys/win32k/objects/coord.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/coord.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -63,17 +63,29 @@
{
XFORM xformTemp;
XFORM xform1, xform2;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
-
- Status = MmCopyFromCaller( &xform1, Unsafexform1, sizeof(XFORM) );
- if(!NT_SUCCESS(Status))
+ _SEH_TRY
{
- SetLastNtError(Status);
- return FALSE;
+ ProbeForWrite(UnsafeXFormResult,
+ sizeof(XFORM),
+ 1);
+ ProbeForRead(Unsafexform1,
+ sizeof(XFORM),
+ 1);
+ ProbeForRead(Unsafexform2,
+ sizeof(XFORM),
+ 1);
+ xform1 = *Unsafexform1;
+ xform2 = *Unsafexform2;
}
- Status = MmCopyFromCaller( &xform2, Unsafexform2, sizeof(XFORM) );
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -83,7 +95,17 @@
Ret = IntGdiCombineTransform(&xformTemp, &xform1, &xform2);
/* Copy the result to xformResult */
- Status = MmCopyToCaller( UnsafeXFormResult, &xformTemp, sizeof(XFORM) );
+ _SEH_TRY
+ {
+ /* pointer was already probed! */
+ *UnsafeXFormResult = xformTemp;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -131,7 +153,7 @@
int Count)
{
PDC dc;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
LPPOINT Points;
ULONG Size;
@@ -159,7 +181,21 @@
return FALSE;
}
- Status = MmCopyFromCaller(Points, UnsafePoints, Size);
+ _SEH_TRY
+ {
+ ProbeForWrite(UnsafePoints,
+ Size,
+ 1);
+ RtlCopyMemory(Points,
+ UnsafePoints,
+ Size);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -170,7 +206,19 @@
IntDPtoLP(dc, Points, Count);
- Status = MmCopyToCaller(UnsafePoints, Points, Size);
+ _SEH_TRY
+ {
+ /* pointer was already probed! */
+ RtlCopyMemory(UnsafePoints,
+ Points,
+ Size);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -218,7 +266,7 @@
LPXFORM XForm)
{
PDC dc;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
if (!dc)
@@ -233,7 +281,18 @@
return FALSE;
}
- Status = MmCopyToCaller(XForm, &dc->w.xformWorld2Wnd, sizeof(XFORM));
+ _SEH_TRY
+ {
+ ProbeForWrite(XForm,
+ sizeof(XFORM),
+ 1);
+ *XForm = dc->w.xformWorld2Wnd;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
DC_UnlockDc(dc);
return NT_SUCCESS(Status);
@@ -280,7 +339,7 @@
NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
{
PDC dc;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
LPPOINT Points;
ULONG Size;
@@ -308,7 +367,21 @@
return FALSE;
}
- Status = MmCopyFromCaller(Points, UnsafePoints, Size);
+ _SEH_TRY
+ {
+ ProbeForWrite(UnsafePoints,
+ Size,
+ 1);
+ RtlCopyMemory(Points,
+ UnsafePoints,
+ Size);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -319,7 +392,19 @@
IntLPtoDP(dc, Points, Count);
- Status = MmCopyToCaller(UnsafePoints, Points, Size);
+ _SEH_TRY
+ {
+ /* pointer was already probed! */
+ RtlCopyMemory(UnsafePoints,
+ Points,
+ Size);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -341,7 +426,7 @@
{
PDC dc;
XFORM SafeXForm;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hDC);
if (!dc)
@@ -357,7 +442,19 @@
return FALSE;
}
- Status = MmCopyFromCaller(&SafeXForm, UnsafeXForm, sizeof(XFORM));
+ _SEH_TRY
+ {
+ ProbeForRead(UnsafeXForm,
+ sizeof(XFORM),
+ 1);
+ SafeXForm = *UnsafeXForm;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -403,8 +500,7 @@
LPPOINT UnsafePoint)
{
PDC dc;
- POINT Point;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
if(!dc)
@@ -415,9 +511,20 @@
if (UnsafePoint)
{
- Point.x = dc->vportOrgX;
- Point.y = dc->vportOrgY;
- Status = MmCopyToCaller(UnsafePoint, &Point, sizeof(POINT));
+ _SEH_TRY
+ {
+ ProbeForWrite(UnsafePoint,
+ sizeof(POINT),
+ 1);
+ UnsafePoint->x = dc->vportOrgX;
+ UnsafePoint->y = dc->vportOrgY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if ( !NT_SUCCESS(Status) )
{
SetLastNtError(Status);
@@ -452,13 +559,22 @@
if (Point)
{
- POINT SafePoint;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ _SEH_TRY
+ {
+ ProbeForWrite(Point,
+ sizeof(POINT),
+ 1);
+ Point->x = dc->wndOrgX;
+ Point->y = dc->wndOrgY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
- SafePoint.x = dc->wndOrgX;
- SafePoint.y = dc->wndOrgY;
-
- Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -594,13 +710,22 @@
if (Size)
{
- SIZE SafeSize;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
- SafeSize.cx = dc->vportExtX;
- SafeSize.cy = dc->vportExtY;
+ _SEH_TRY
+ {
+ ProbeForWrite(Size,
+ sizeof(SIZE),
+ 1);
+ Size->cx = dc->vportExtX;
+ Size->cy = dc->vportExtY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
- Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -636,13 +761,22 @@
if (Point)
{
- POINT SafePoint;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ _SEH_TRY
+ {
+ ProbeForWrite(Point,
+ sizeof(POINT),
+ 1);
+ Point->x = dc->vportOrgX;
+ Point->y = dc->vportOrgY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
- SafePoint.x = dc->vportOrgX;
- SafePoint.y = dc->vportOrgY;
-
- Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -690,13 +824,22 @@
if (Size)
{
- SIZE SafeSize;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ _SEH_TRY
+ {
+ ProbeForWrite(Size,
+ sizeof(SIZE),
+ 1);
+ Size->cx = dc->wndExtX;
+ Size->cy = dc->wndExtY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
- SafeSize.cx = dc->wndExtX;
- SafeSize.cy = dc->wndExtY;
-
- Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -732,13 +875,22 @@
if (Point)
{
- POINT SafePoint;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ _SEH_TRY
+ {
+ ProbeForWrite(Point,
+ sizeof(POINT),
+ 1);
+ Point->x = dc->wndOrgX;
+ Point->y = dc->wndOrgY;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
- SafePoint.x = dc->wndOrgX;
- SafePoint.y = dc->wndOrgY;
-
- Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -762,7 +914,7 @@
CONST LPXFORM XForm)
{
PDC dc;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc (hDC);
if ( !dc )
@@ -785,7 +937,19 @@
return FALSE;
}
- Status = MmCopyFromCaller(&dc->w.xformWorld2Wnd, XForm, sizeof(XFORM));
+ _SEH_TRY
+ {
+ ProbeForRead(XForm,
+ sizeof(XFORM),
+ 1);
+ dc->w.xformWorld2Wnd = *XForm;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
--- trunk/reactos/subsys/win32k/objects/dc.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/dc.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -69,7 +69,7 @@
} \
BOOL STDCALL NtGdi##FuncName ( HDC hdc, LP##type pt ) \
{ \
- NTSTATUS Status; \
+ NTSTATUS Status = STATUS_SUCCESS; \
type Safept; \
PDC dc; \
if(!pt) \
@@ -84,7 +84,18 @@
} \
Int##FuncName( dc, &Safept); \
DC_UnlockDc(dc); \
- Status = MmCopyToCaller(pt, &Safept, sizeof( type )); \
+ _SEH_TRY \
+ { \
+ ProbeForWrite(pt, \
+ sizeof( type ), \
+ 1); \
+ *pt = Safept; \
+ } \
+ _SEH_HANDLE \
+ { \
+ Status = _SEH_GetExceptionCode(); \
+ } \
+ _SEH_END; \
if(!NT_SUCCESS(Status)) \
{ \
SetLastNtError(Status); \
@@ -830,11 +841,25 @@
UNICODE_STRING SafeDriver, SafeDevice;
DEVMODEW SafeInitData;
HDC Ret;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
{
- Status = MmCopyFromCaller(&SafeInitData, InitData, sizeof(DEVMODEW));
+ _SEH_TRY
+ {
+ ProbeForRead(InitData,
+ sizeof(DEVMODEW),
+ 1);
+ RtlCopyMemory(&SafeInitData,
+ InitData,
+ sizeof(DEVMODEW));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -878,11 +903,24 @@
UNICODE_STRING SafeDriver, SafeDevice;
DEVMODEW SafeInitData;
HDC Ret;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
{
- Status = MmCopyFromCaller(&SafeInitData, InitData, sizeof(DEVMODEW));
+ _SEH_TRY
+ {
+ ProbeForRead(InitData,
+ sizeof(DEVMODEW),
+ 1);
+ RtlCopyMemory(&SafeInitData,
+ InitData,
+ sizeof(DEVMODEW));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -1076,7 +1114,7 @@
BOOL Ret;
DC *dc;
POINT SafePoint;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
if(!Point)
{
@@ -1093,7 +1131,19 @@
Ret = IntGdiGetDCOrgEx(dc, &SafePoint);
- Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
+ _SEH_TRY
+ {
+ ProbeForWrite(Point,
+ sizeof(POINT),
+ 1);
+ *Point = SafePoint;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@@ -1621,12 +1671,30 @@
{
INT Ret;
LPVOID SafeBuf;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
if (count <= 0)
{
return 0;
}
+
+ _SEH_TRY
+ {
+ ProbeForWrite(buffer,
+ count,
+ 1);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if(!NT_SUCCESS(Status))
+ {
+ SetLastNtError(Status);
+ return 0;
+ }
SafeBuf = ExAllocatePoolWithTag(PagedPool, count, TAG_GDIOBJ);
if(!SafeBuf)
@@ -1637,7 +1705,19 @@
Ret = IntGdiGetObject(handle, count, SafeBuf);
- Status = MmCopyToCaller(buffer, SafeBuf, count);
+ _SEH_TRY
+ {
+ /* pointer already probed! */
+ RtlCopyMemory(buffer,
+ SafeBuf,
+ count);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
ExFreePool(SafeBuf);
if(!NT_SUCCESS(Status))
{
--- trunk/reactos/subsys/win32k/objects/fillshap.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/fillshap.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -845,7 +845,7 @@
{
DC *dc;
LPPOINT Safept;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret = FALSE;
if ( Count < 2 )
@@ -853,6 +853,24 @@
SetLastWin32Error(ERROR_INVALID_PARAMETER);
return FALSE;
}
+
+ _SEH_TRY
+ {
+ ProbeForRead(UnsafePoints,
+ Count * sizeof(POINT),
+ 1);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ SetLastNtError(Status);
+ return FALSE;
+ }
dc = DC_LockDc(hDC);
if(!dc)
@@ -870,7 +888,19 @@
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
else
{
- Status = MmCopyFromCaller(Safept, UnsafePoints, sizeof(POINT) * Count);
+ _SEH_TRY
+ {
+ /* pointer was already probed! */
+ RtlCopyMemory(Safept,
+ UnsafePoints,
+ Count * sizeof(POINT));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
SetLastNtError(Status);
else
@@ -913,6 +943,28 @@
if(Count > 0)
{
+ _SEH_TRY
+ {
+ ProbeForRead(Points,
+ Count * sizeof(POINT),
+ 1);
+ ProbeForRead(PolyCounts,
+ Count * sizeof(INT),
+ 1);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ DC_UnlockDc(dc);
+ SetLastNtError(Status);
+ return FALSE;
+ }
+
Safept = ExAllocatePoolWithTag(PagedPool, (sizeof(POINT) + sizeof(INT)) * Count, TAG_SHAPE);
if(!Safept)
{
@@ -922,16 +974,23 @@
}
SafePolyPoints = (LPINT)&Safept[Count];
-
- Status = MmCopyFromCaller(Safept, Points, sizeof(POINT) * Count);
- if(!NT_SUCCESS(Status))
+
+ _SEH_TRY
{
- DC_UnlockDc(dc);
- ExFreePool(Safept);
- SetLastNtError(Status);
- return FALSE;
+ /* pointers already probed! */
+ RtlCopyMemory(Safept,
+ Points,
+ Count * sizeof(POINT));
+ RtlCopyMemory(SafePolyPoints,
+ PolyCounts,
+ Count * sizeof(INT));
}
- Status = MmCopyFromCaller(SafePolyPoints, PolyCounts, sizeof(INT) * Count);
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -1520,7 +1579,7 @@
PTRIVERTEX SafeVertex;
PVOID SafeMesh;
ULONG SizeMesh;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hdc);
if(!dc)
@@ -1555,6 +1614,28 @@
SetLastWin32Error(ERROR_INVALID_PARAMETER);
return FALSE;
}
+
+ _SEH_TRY
+ {
+ ProbeForRead(pVertex,
+ uVertex * sizeof(TRIVERTEX),
+ 1);
+ ProbeForRead(pMesh,
+ SizeMesh,
+ 1);
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if (!NT_SUCCESS(Status))
+ {
+ DC_UnlockDc(dc);
+ SetLastWin32Error(Status);
+ return FALSE;
+ }
if(!(SafeVertex = ExAllocatePoolWithTag(PagedPool, (uVertex * sizeof(TRIVERTEX)) + SizeMesh, TAG_SHAPE)))
{
@@ -1562,16 +1643,25 @@
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return FALSE;
}
- Status = MmCopyFromCaller(SafeVertex, pVertex, uVertex * sizeof(TRIVERTEX));
- if(!NT_SUCCESS(Status))
+
+ SafeMesh = (PTRIVERTEX)(SafeVertex + uVertex);
+
+ _SEH_TRY
{
- DC_UnlockDc(dc);
- ExFreePool(SafeVertex);
- SetLastNtError(Status);
- return FALSE;
+ /* pointers were already probed! */
+ RtlCopyMemory(SafeVertex,
+ pVertex,
+ uVertex * sizeof(TRIVERTEX));
+ RtlCopyMemory(SafeMesh,
+ pMesh,
+ SizeMesh);
}
- SafeMesh = (PTRIVERTEX)(SafeVertex + uVertex);
- Status = MmCopyFromCaller(SafeMesh, pMesh, SizeMesh);
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
--- trunk/reactos/subsys/win32k/objects/line.c 2005-07-26 11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/line.c 2005-07-26 12:22:55 UTC (rev 16738)
@@ -503,7 +503,7 @@
{
DC *dc;
POINT SafePoint;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@@ -521,7 +521,19 @@
if(Point)
{
- Status = MmCopyFromCaller(&SafePoint, Point, sizeof(POINT));
+ _SEH_TRY
+ {
+ ProbeForRead(Point,
+ sizeof(POINT),
+ 1);
+ SafePoint = *Point;
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@@ -544,7 +556,7 @@
{
DC *dc;
LPPOINT Safept;
- NTSTATUS Status;
+ NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@@ -562,6 +574,25 @@
if(Count > 0)
{
[truncated at 1000 lines; 1059 more skipped]