https://git.reactos.org/?p=reactos.git;a=commitdiff;h=514147776a7e7063691103...

commit 514147776a7e70636911033ab6c89779b2c8ee1e Author: Joachim Henze Joachim.Henze@reactos.org AuthorDate: Sat Jun 19 17:41:49 2021 +0200 Commit: Joachim Henze Joachim.Henze@reactos.org CommitDate: Sat Jun 19 17:41:49 2021 +0200

[NTGDI] Fix potential BSOD 0x1E CORE-17626

in CreateDIBPalette() when passing invalid arguments to CreateDIBSection. This could be triggered by using the broken test-application "GDIProg".

After this patch not only the BSOD is fixed but also the app does properly start up, like it is the case on 2k3sp2.

Thanks to the patches author Doug Lyons. --- win32ss/gdi/ntgdi/dibobj.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c index 3d88101c8ab..1ae6e8affa9 100644 --- a/win32ss/gdi/ntgdi/dibobj.c +++ b/win32ss/gdi/ntgdi/dibobj.c @@ -45,6 +45,8 @@ CreateDIBPalette( { PPALETTE ppal; ULONG i, cBitsPixel, cColors; + RGBQUAD rgb; + NTSTATUS Status;

if (pbmi->bmiHeader.biSize < sizeof(BITMAPINFOHEADER)) { @@ -133,12 +135,28 @@ CreateDIBPalette( /* Loop all color indices in the DIB */ for (i = 0; i < cColors; i++) { - /* Get the color value and translate it to a COLORREF */ - RGBQUAD rgb = prgb[i]; - COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue); + /* User SEH to verify READ success */ + Status = STATUS_SUCCESS; + _SEH2_TRY + { + rgb = prgb[i]; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + /* On Read Failure, put zero in Palette */ + PALETTE_vSetRGBColorForIndex(ppal, i, 0); + } + _SEH2_END

- /* Set the RGB value in the palette */ - PALETTE_vSetRGBColorForIndex(ppal, i, crColor); + if(NT_SUCCESS(Status)) + { + /* Get the color value and translate it to a COLORREF */ + COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue); + + /* Set the RGB value in the palette */ + PALETTE_vSetRGBColorForIndex(ppal, i, crColor); + } } } else