Author: tkreuzer
Date: Sat Oct 31 12:52:01 2015
New Revision: 69748
URL:
http://svn.reactos.org/svn/reactos?rev=69748&view=rev
Log:
[WIN32K]
Fix parameter handling in NtGdiDoPalette
CORE-9435 #resolve
Modified:
trunk/reactos/include/psdk/ntgdi.h
trunk/reactos/win32ss/gdi/ntgdi/palette.c
Modified: trunk/reactos/include/psdk/ntgdi.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/ntgdi.h?rev=6…
==============================================================================
--- trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] (original)
+++ trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] Sat Oct 31 12:52:01 2015
@@ -439,8 +439,8 @@
_In_ HGDIOBJ hObj,
_In_ WORD iStart,
_In_ WORD cEntries,
- _When_((iFunc == GdiPalGetEntries) || (iFunc == GdiPalGetSystemEntries),
_Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY)))
- _When_((iFunc != GdiPalGetEntries) && (iFunc != GdiPalGetSystemEntries),
_In_reads_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pEntries,
+ _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY)))
+ _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID
pEntries,
_In_ DWORD iFunc,
_In_ BOOL bInbound);
Modified: trunk/reactos/win32ss/gdi/ntgdi/palette.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/palette.…
==============================================================================
--- trunk/reactos/win32ss/gdi/ntgdi/palette.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/palette.c [iso-8859-1] Sat Oct 31 12:52:01 2015
@@ -1055,39 +1055,38 @@
return iResult;
}
-W32KAPI
+__kernel_entry
LONG
APIENTRY
NtGdiDoPalette(
- IN HGDIOBJ hObj,
- IN WORD iStart,
- IN WORD cEntries,
- IN LPVOID pUnsafeEntries,
- IN DWORD iFunc,
- IN BOOL bInbound)
+ _In_ HGDIOBJ hObj,
+ _In_ WORD iStart,
+ _In_ WORD cEntries,
+ _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY)))
+ _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID
pUnsafeEntries,
+ _In_ DWORD iFunc,
+ _In_ BOOL bInbound)
{
LONG ret;
LPVOID pEntries = NULL;
-
- /* FIXME: Handle bInbound correctly */
-
- if (bInbound &&
- (pUnsafeEntries == NULL || cEntries == 0))
- {
- return 0;
- }
+ SIZE_T cjSize;
if (pUnsafeEntries)
{
- pEntries = ExAllocatePoolWithTag(PagedPool, cEntries * sizeof(PALETTEENTRY),
TAG_PALETTE);
+ if (cEntries == 0)
+ return 0;
+
+ cjSize = cEntries * sizeof(PALETTEENTRY);
+ pEntries = ExAllocatePoolWithTag(PagedPool, cjSize, TAG_PALETTE);
if (!pEntries)
return 0;
+
if (bInbound)
{
_SEH2_TRY
{
- ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
- memcpy(pEntries, pUnsafeEntries, cEntries * sizeof(PALETTEENTRY));
+ ProbeForRead(pUnsafeEntries, cjSize, 1);
+ memcpy(pEntries, pUnsafeEntries, cjSize);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
@@ -1099,7 +1098,7 @@
else
{
/* Zero it out, so we don't accidentally leak kernel data */
- RtlZeroMemory(pEntries, cEntries * sizeof(PALETTEENTRY));
+ RtlZeroMemory(pEntries, cjSize);
}
}
@@ -1137,12 +1136,13 @@
if (pEntries)
{
- if (!bInbound)
+ if (!bInbound && (ret > 0))
{
+ cjSize = min(cEntries, ret) * sizeof(PALETTEENTRY);
_SEH2_TRY
{
- ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
- memcpy(pUnsafeEntries, pEntries, cEntries * sizeof(PALETTEENTRY));
+ ProbeForWrite(pUnsafeEntries, cjSize, 1);
+ memcpy(pUnsafeEntries, pEntries, cjSize);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{