[ros-diffs] [tkreuzer] 70412: [WIN32K] Pass cjMaxBits parameter from GreCreateDIBitmapInternal to IntCreateDIBitmap and check the image size before creating the bitmap. Should fix crash when hitting about tab ...

Author: tkreuzer Date: Wed Dec 23 14:55:34 2015 New Revision: 70412 URL: http://svn.reactos.org/svn/reactos?rev=70412&view=rev Log: [WIN32K] Pass cjMaxBits parameter from GreCreateDIBitmapInternal to IntCreateDIBitmap and check the image size before creating the bitmap. Should fix crash when hitting about tab in Office2000 WinWord. CORE-10583 #comment please retest Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dibobj.c… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] Wed Dec 23 14:55:34 2015 @@ -248,6 +248,7 @@ UINT StartScan, UINT ScanLines, CONST VOID *Bits, + ULONG cjMaxBits, CONST BITMAPINFO *bmi, UINT ColorUse) { @@ -260,6 +261,11 @@ PPALETTE ppalDIB = 0; if (!bmi) return 0; + + if (bmi->bmiHeader.biSizeImage > cjMaxBits) + { + return 0; + } SourceBitmap = GreCreateBitmapEx(bmi->bmiHeader.biWidth, ScanLines, @@ -1316,6 +1322,7 @@ ULONG compression, DWORD init, LPBYTE bits, + ULONG cjMaxBits, PBITMAPINFO data, DWORD coloruse) { @@ -1390,7 +1397,7 @@ if ((NULL != handle) && (CBM_INIT & init)) { - IntSetDIBits(Dc, handle, 0, height, bits, data, coloruse); + IntSetDIBits(Dc, handle, 0, height, bits, cjMaxBits, data, coloruse); } return handle; @@ -1529,7 +1536,7 @@ planes = 0; compression = 0; } - Bmp = IntCreateDIBitmap(Dc, cx, cy, planes, bpp, compression, fInit, pjInit, pbmi, iUsage); + Bmp = IntCreateDIBitmap(Dc, cx, cy, planes, bpp, compression, fInit, pjInit, cjMaxBits, pbmi, iUsage); DC_UnlockDc(Dc); if(!hDc)