Author: jimtabor Date: Sun Jan 3 01:05:15 2010 New Revision: 44902
URL: http://svn.reactos.org/svn/reactos?rev=44902&view=rev Log: [Win32k] - Patch by Dan Kegel: Fix minor read buffer overrun in CombineRgn. http://bugs.winehq.org/show_bug.cgi?id=20851 - When locking and unlocking regions, use probe to check attribute space first before read or write access.
Modified: trunk/reactos/subsystems/win32/win32k/objects/gdiobj.c trunk/reactos/subsystems/win32/win32k/objects/region.c
Modified: trunk/reactos/subsystems/win32/win32k/objects/gdiobj.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/obj... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/objects/gdiobj.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/objects/gdiobj.c [iso-8859-1] Sun Jan 3 01:05:15 2010 @@ -750,7 +750,12 @@ { return TRUE; } - if (pAttr) FreeObjectAttr(pAttr); + if (pAttr) + { + KeEnterCriticalRegion(); + FreeObjectAttr(pAttr); + KeLeaveCriticalRegion(); + } break;
case GDI_OBJECT_TYPE_DC:
Modified: trunk/reactos/subsystems/win32/win32k/objects/region.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/obj... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/objects/region.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/objects/region.c [iso-8859-1] Sun Jan 3 01:05:15 2010 @@ -1650,7 +1650,8 @@ pNextRect++; } r1++; - left = r1->left; + if (r1 != r1End) + left = r1->left; } }
@@ -2062,9 +2063,11 @@ } }
+ KeEnterCriticalRegion(); Index = GDI_HANDLE_GET_INDEX(hReg); Entry = &GdiHandleTable->Entries[Index]; Entry->UserData = AllocateObjectAttr(); + KeLeaveCriticalRegion();
EMPTY_REGION(pReg); pReg->rdh.dwSize = sizeof(RGNDATAHEADER); @@ -2081,22 +2084,26 @@ INT Index; PGDI_TABLE_ENTRY Entry; PROSRGNDATA pRgn; - PRGN_ATTR pRgn_Attr; + PRGN_ATTR pRgn_Attr;
pRgn = REGION_LockRgn(hRgn);
if (pRgn) { + KeEnterCriticalRegion(); Index = GDI_HANDLE_GET_INDEX(hRgn); Entry = &GdiHandleTable->Entries[Index]; - pRgn_Attr = Entry->UserData; + KeLeaveCriticalRegion();
if (pRgn_Attr) { _SEH2_TRY { - if ( pRgn_Attr->AttrFlags & (ATTR_RGN_VALID|ATTR_RGN_DIRTY) ) + ProbeForWrite(pRgn_Attr, sizeof(RGN_ATTR), 1); + + if ( !(pRgn_Attr->AttrFlags & ATTR_CACHED) && + pRgn_Attr->AttrFlags & (ATTR_RGN_VALID|ATTR_RGN_DIRTY) ) { switch (pRgn_Attr->Flags) { @@ -2142,15 +2149,18 @@
if (pRgn) { + KeEnterCriticalRegion(); Index = GDI_HANDLE_GET_INDEX(pRgn->BaseObject.hHmgr); Entry = &GdiHandleTable->Entries[Index]; - pRgn_Attr = Entry->UserData; - - _SEH2_TRY + KeLeaveCriticalRegion(); + + if ( pRgn_Attr ) { - if ( pRgn_Attr ) - { + _SEH2_TRY + { + ProbeForWrite(pRgn_Attr, sizeof(RGN_ATTR), 1); + if ( pRgn_Attr->AttrFlags & ATTR_RGN_VALID ) { pRgn_Attr->Flags = REGION_Complexity( pRgn ); @@ -2160,11 +2170,11 @@ pRgn_Attr->Rect.bottom = pRgn->rdh.rcBound.bottom; } } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + } + _SEH2_END; } - _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) - { - } - _SEH2_END; } REGION_UnlockRgn(pRgn); }