Author: jgardou Date: Wed Sep 1 22:36:00 2010 New Revision: 48685
URL: http://svn.reactos.org/svn/reactos?rev=48685&view=rev Log: [WIN32K] - Do not acccess unsafe bits outside of PSEH
Modified: branches/reactos-yarotows/subsystems/win32/win32k/objects/dibobj.c
Modified: branches/reactos-yarotows/subsystems/win32/win32k/objects/dibobj.c URL: http://svn.reactos.org/svn/reactos/branches/reactos-yarotows/subsystems/win3... ============================================================================== --- branches/reactos-yarotows/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] (original) +++ branches/reactos-yarotows/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] Wed Sep 1 22:36:00 2010 @@ -1219,11 +1219,27 @@ IN HANDLE hcmXform) { NTSTATUS Status = STATUS_SUCCESS; + PBYTE safeBits = NULL; + HBITMAP hbmResult = NULL; + + if(pjInit && (fInit == CBM_INIT)) + { + safeBits = ExAllocatePoolWithTag(PagedPool, cjMaxBits, TAG_DIB); + if(!safeBits) + { + SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY); + return NULL; + } + }
_SEH2_TRY { if(pbmi) ProbeForRead(pbmi, cjMaxInitInfo, 1); - if(pjInit && (fInit == CBM_INIT)) ProbeForRead(pjInit, cjMaxBits, 1); + if(pjInit && (fInit == CBM_INIT)) + { + ProbeForRead(pjInit, cjMaxBits, 1); + RtlCopyMemory(safeBits, pjInit, cjMaxBits); + } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1234,18 +1250,22 @@ if(!NT_SUCCESS(Status)) { SetLastNtError(Status); - return NULL; - } - - return GreCreateDIBitmapInternal(hDc, - cx, - cy, - fInit, - pjInit, - pbmi, - iUsage, - fl, - hcmXform); + goto cleanup; + } + + hbmResult = GreCreateDIBitmapInternal(hDc, + cx, + cy, + fInit, + safeBits, + pbmi, + iUsage, + fl, + hcmXform); + +cleanup: + ExFreePoolWithTag(safeBits, TAG_DIB); + return hbmResult; }
HBITMAP