Author: tkreuzer Date: Sat Oct 31 20:37:20 2015 New Revision: 69760
URL: http://svn.reactos.org/svn/reactos?rev=69760&view=rev Log: [WIN32K] Check the size of RLE bitmaps, while decompressing. Fixes possible buffer overrun. Patch by Kamil Hornicek CORE-8735 #resolve
Modified: trunk/reactos/win32ss/gdi/eng/eng.h trunk/reactos/win32ss/gdi/eng/rlecomp.c trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c
Modified: trunk/reactos/win32ss/gdi/eng/eng.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/eng.h?rev=6... ============================================================================== --- trunk/reactos/win32ss/gdi/eng/eng.h [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/eng.h [iso-8859-1] Sat Oct 31 20:37:20 2015 @@ -52,4 +52,5 @@ BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, - ULONG iFormat); + ULONG iFormat, + ULONG cjSizeImage);
Modified: trunk/reactos/win32ss/gdi/eng/rlecomp.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/rlecomp.c?r... ============================================================================== --- trunk/reactos/win32ss/gdi/eng/rlecomp.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/eng/rlecomp.c [iso-8859-1] Sat Oct 31 20:37:20 2015 @@ -18,14 +18,14 @@ RLE_DELTA = 2 /* Delta */ };
-VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format) +VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format, ULONG cjSizeImage) { INT x = 0; INT y = Size.cy - 1; INT c; INT length; INT width; - INT height = Size.cy - 1; + INT height = y; BYTE *begin = CompressedBits; BYTE *bits = CompressedBits; BYTE *temp; @@ -40,7 +40,7 @@
_SEH2_TRY { - while (y >= 0) + while (y >= 0 && (bits - begin) <= cjSizeImage) { length = (*bits++) >> shift; if (length)
Modified: trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c... ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c [iso-8859-1] Sat Oct 31 20:37:20 2015 @@ -107,7 +107,6 @@ pvCompressedBits = pvBits; pvBits = NULL; iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP; - cjSizeImage = 0; }
/* Allocate a surface */ @@ -117,7 +116,7 @@ iFormat, fjBitmap, cjWidthBytes, - cjSizeImage, + pvCompressedBits ? 0 : cjSizeImage, pvBits); if (!psurf) { @@ -136,7 +135,7 @@ lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]);
pvBits = psurf->SurfObj.pvBits; - DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat); + DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat, cjSizeImage); }
/* Get the handle for the bitmap */