[ros-diffs] [tkreuzer] 67058: [WIN32K] Check in BltMask if the masking operation would exceed the mask bitmap. Should fix crash when running gdi32_apitest MaskBlt. CORE-9483

Author: tkreuzer Date: Sun Apr 5 08:40:52 2015 New Revision: 67058 URL: http://svn.reactos.org/svn/reactos?rev=67058&view=rev Log: [WIN32K] Check in BltMask if the masking operation would exceed the mask bitmap. Should fix crash when running gdi32_apitest MaskBlt. CORE-9483 Modified: trunk/reactos/win32ss/gdi/eng/bitblt.c Modified: trunk/reactos/win32ss/gdi/eng/bitblt.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/bitblt.c?r… ============================================================================== --- trunk/reactos/win32ss/gdi/eng/bitblt.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/bitblt.c [iso-8859-1] Sun Apr 5 08:40:52 2015 @@ -51,7 +51,7 @@ POINTL* pptlBrush, ROP4 Rop4) { - LONG x, y; + LONG x, y, cx, cy; BYTE *pjMskLine, *pjMskCurrent; BYTE fjMaskBit0, fjMaskBit; /* Pattern brushes */ @@ -87,6 +87,14 @@ } else psoPattern = NULL; + + cx = prclDest->right - prclDest->left; + cy = prclDest->bottom - prclDest->top; + if ((pptlMask->x + cx > psoMask->sizlBitmap.cx) || + (pptlMask->y + cy > psoMask->sizlBitmap.cy)) + { + return FALSE; + } pjMskLine = (PBYTE)psoMask->pvScan0 + pptlMask->y * psoMask->lDelta + (pptlMask->x >> 3); fjMaskBit0 = 0x80 >> (pptlMask->x & 0x07);