[weiden] 16738: removed some MmCopyTo/FromCaller calls from win32k's GDI - Ros-diffs

26 Jul 2005

removed some MmCopyTo/FromCaller calls from win32k's GDI
Modified: trunk/reactos/subsys/win32k/objects/brush.c
Modified: trunk/reactos/subsys/win32k/objects/cliprgn.c
Modified: trunk/reactos/subsys/win32k/objects/coord.c
Modified: trunk/reactos/subsys/win32k/objects/dc.c
Modified: trunk/reactos/subsys/win32k/objects/fillshap.c
Modified: trunk/reactos/subsys/win32k/objects/line.c
Modified: trunk/reactos/subsys/win32k/objects/pen.c
Modified: trunk/reactos/subsys/win32k/objects/print.c
Modified: trunk/reactos/subsys/win32k/objects/rect.c
Modified: trunk/reactos/subsys/win32k/objects/region.c
  _____
Modified: trunk/reactos/subsys/win32k/objects/brush.c

--- trunk/reactos/subsys/win32k/objects/brush.c	2005-07-26 11:22:48 UTC
(rev 16737)
+++ trunk/reactos/subsys/win32k/objects/brush.c	2005-07-26 12:22:55 UTC
(rev 16738)
@@ -563,7 +563,7 @@
CONST VOID *PackedDIB)
 {
    BITMAPINFO *SafeBitmapInfoAndData;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    HBRUSH hBrush;
SafeBitmapInfoAndData = EngAllocMem(0, BitmapInfoSize, 0);
@@ -573,10 +573,24 @@
       return NULL;
    }
-   Status = MmCopyFromCaller(SafeBitmapInfoAndData, BitmapInfoAndData,
-                             BitmapInfoSize);
+   _SEH_TRY
+   {
+      ProbeForRead(BitmapInfoAndData,
+                   BitmapInfoSize,
+                   1);
+      RtlCopyMemory(SafeBitmapInfoAndData,
+                    BitmapInfoAndData,
+                    BitmapInfoSize);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+   
    if (!NT_SUCCESS(Status))
    {
+      EngFreeMem(SafeBitmapInfoAndData);
       SetLastNtError(Status);
       return 0;
    }
@@ -632,11 +646,23 @@
if (Point != NULL)
    {
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
       POINT SafePoint;
       SafePoint.x = dc->w.brushOrgX;
       SafePoint.y = dc->w.brushOrgY;
-      Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
+      _SEH_TRY
+      {
+         ProbeForWrite(Point,
+                       sizeof(POINT),
+                       1);
+         *Point = SafePoint;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
+
       if(!NT_SUCCESS(Status))
       {
         DC_UnlockDc(dc);
@@ -661,7 +687,7 @@
    ULONG Reserved)
 {
    PPATRECT rb = NULL;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    BOOL Ret;
if (cRects > 0)
@@ -672,7 +698,21 @@
          SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
          return FALSE;
       }
-      Status = MmCopyFromCaller(rb, pRects, sizeof(PATRECT) * cRects);
+      _SEH_TRY
+      {
+         ProbeForRead(pRects,
+                      cRects * sizeof(PATRECT),
+                      1);
+         RtlCopyMemory(rb,
+                       pRects,
+                       cRects * sizeof(PATRECT));
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
+
       if (!NT_SUCCESS(Status))
       {
          ExFreePool(rb);
  _____
Modified: trunk/reactos/subsys/win32k/objects/cliprgn.c
--- trunk/reactos/subsys/win32k/objects/cliprgn.c	2005-07-26
11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/cliprgn.c	2005-07-26
12:22:55 UTC (rev 16738)
@@ -192,7 +192,19 @@
Ret = IntGdiGetClipBox(hDC, &Saferect);
-  Status = MmCopyToCaller(rc, &Saferect, sizeof(RECT));
+  _SEH_TRY
+  {
+    ProbeForWrite(rc,
+                  sizeof(RECT),
+                  1);
+    *rc = Saferect;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
@@ -341,7 +353,7 @@
 BOOL STDCALL NtGdiRectVisible(HDC  hDC,
                       CONST PRECT  UnsafeRect)
 {
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    PROSRGNDATA Rgn;
    PDC dc = DC_LockDc(hDC);
    BOOL Result = FALSE;
@@ -353,10 +365,23 @@
       return FALSE;
    }
-   Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
+   _SEH_TRY
+   {
+      ProbeForRead(UnsafeRect,
+                   sizeof(RECT),
+                   1);
+      Rect = *UnsafeRect;
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
       DC_UnlockDc(dc);
+      SetLastNtError(Status);
       return FALSE;
    }
_____
Modified: trunk/reactos/subsys/win32k/objects/coord.c
--- trunk/reactos/subsys/win32k/objects/coord.c	2005-07-26 11:22:48 UTC
(rev 16737)
+++ trunk/reactos/subsys/win32k/objects/coord.c	2005-07-26 12:22:55 UTC
(rev 16738)
@@ -63,17 +63,29 @@
{
   XFORM  xformTemp;
   XFORM  xform1, xform2;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
   BOOL Ret;
-
-  Status = MmCopyFromCaller( &xform1, Unsafexform1, sizeof(XFORM) );
-  if(!NT_SUCCESS(Status))
+  _SEH_TRY
   {
-    SetLastNtError(Status);
-    return FALSE;
+    ProbeForWrite(UnsafeXFormResult,
+                  sizeof(XFORM),
+                  1);
+    ProbeForRead(Unsafexform1,
+                 sizeof(XFORM),
+                 1);
+    ProbeForRead(Unsafexform2,
+                 sizeof(XFORM),
+                 1);
+    xform1 = *Unsafexform1;
+    xform2 = *Unsafexform2;
   }
-  Status = MmCopyFromCaller( &xform2, Unsafexform2, sizeof(XFORM) );
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     SetLastNtError(Status);
@@ -83,7 +95,17 @@
   Ret = IntGdiCombineTransform(&xformTemp, &xform1, &xform2);
/* Copy the result to xformResult */
-  Status = MmCopyToCaller(  UnsafeXFormResult, &xformTemp,
sizeof(XFORM) );
+  _SEH_TRY
+  {
+    /* pointer was already probed! */
+    *UnsafeXFormResult = xformTemp;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     SetLastNtError(Status);
@@ -131,7 +153,7 @@
       int  Count)
 {
    PDC dc;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    LPPOINT Points;
    ULONG Size;
@@ -159,7 +181,21 @@
      return FALSE;
    }
-   Status = MmCopyFromCaller(Points, UnsafePoints, Size);
+   _SEH_TRY
+   {
+      ProbeForWrite(UnsafePoints,
+                    Size,
+                    1);
+      RtlCopyMemory(Points,
+                    UnsafePoints,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+   
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -170,7 +206,19 @@
IntDPtoLP(dc, Points, Count);
-   Status = MmCopyToCaller(UnsafePoints, Points, Size);
+   _SEH_TRY
+   {
+      /* pointer was already probed! */
+      RtlCopyMemory(UnsafePoints,
+                    Points,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -218,7 +266,7 @@
                       LPXFORM  XForm)
 {
   PDC  dc;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
   if (!dc)
@@ -233,7 +281,18 @@
     return FALSE;
   }
-  Status = MmCopyToCaller(XForm, &dc->w.xformWorld2Wnd, sizeof(XFORM));
+  _SEH_TRY
+  {
+    ProbeForWrite(XForm,
+                  sizeof(XFORM),
+                  1);
+    *XForm = dc->w.xformWorld2Wnd;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
DC_UnlockDc(dc);
   return NT_SUCCESS(Status);
@@ -280,7 +339,7 @@
 NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
 {
    PDC dc;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    LPPOINT Points;
    ULONG Size;
@@ -308,7 +367,21 @@
      return FALSE;
    }
-   Status = MmCopyFromCaller(Points, UnsafePoints, Size);
+   _SEH_TRY
+   {
+      ProbeForWrite(UnsafePoints,
+                    Size,
+                    1);
+      RtlCopyMemory(Points,
+                    UnsafePoints,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -319,7 +392,19 @@
IntLPtoDP(dc, Points, Count);
-   Status = MmCopyToCaller(UnsafePoints, Points, Size);
+   _SEH_TRY
+   {
+      /* pointer was already probed! */
+      RtlCopyMemory(UnsafePoints,
+                    Points,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -341,7 +426,7 @@
 {
    PDC dc;
    XFORM SafeXForm;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hDC);
    if (!dc)
@@ -357,7 +442,19 @@
      return FALSE;
    }
-   Status = MmCopyFromCaller(&SafeXForm, UnsafeXForm, sizeof(XFORM));
+   _SEH_TRY
+   {
+      ProbeForRead(UnsafeXForm,
+                   sizeof(XFORM),
+                   1);
+      SafeXForm = *UnsafeXForm;
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -403,8 +500,7 @@
                         LPPOINT UnsafePoint)
 {
   PDC      dc;
-  POINT    Point;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
   if(!dc)
@@ -415,9 +511,20 @@
if (UnsafePoint)
     {
-	Point.x = dc->vportOrgX;
-	Point.y = dc->vportOrgY;
-	Status = MmCopyToCaller(UnsafePoint, &Point, sizeof(POINT));
+        _SEH_TRY
+        {
+            ProbeForWrite(UnsafePoint,
+                          sizeof(POINT),
+                          1);
+            UnsafePoint->x = dc->vportOrgX;
+            UnsafePoint->y = dc->vportOrgY;
+        }
+        _SEH_HANDLE
+        {
+            Status = _SEH_GetExceptionCode();
+        }
+        _SEH_END;
+
    if ( !NT_SUCCESS(Status) )
      {
        SetLastNtError(Status);
@@ -452,13 +559,22 @@
if (Point)
     {
-      POINT SafePoint;
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
+      
+      _SEH_TRY
+      {
+         ProbeForWrite(Point,
+                       sizeof(POINT),
+                       1);
+         Point->x = dc->wndOrgX;
+         Point->y = dc->wndOrgY;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
-      SafePoint.x = dc->wndOrgX;
-      SafePoint.y = dc->wndOrgY;
-
-      Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
       if(!NT_SUCCESS(Status))
       {
         SetLastNtError(Status);
@@ -594,13 +710,22 @@
if (Size)
     {
-      SIZE SafeSize;
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
-      SafeSize.cx = dc->vportExtX;
-      SafeSize.cy = dc->vportExtY;
+      _SEH_TRY
+      {
+         ProbeForWrite(Size,
+                       sizeof(SIZE),
+                       1);
+         Size->cx = dc->vportExtX;
+         Size->cy = dc->vportExtY;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
-      Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
       if(!NT_SUCCESS(Status))
       {
         SetLastNtError(Status);
@@ -636,13 +761,22 @@
if (Point)
     {
-      POINT SafePoint;
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
+      
+      _SEH_TRY
+      {
+         ProbeForWrite(Point,
+                       sizeof(POINT),
+                       1);
+         Point->x = dc->vportOrgX;
+         Point->y = dc->vportOrgY;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
-      SafePoint.x = dc->vportOrgX;
-      SafePoint.y = dc->vportOrgY;
-
-      Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
       if(!NT_SUCCESS(Status))
       {
         SetLastNtError(Status);
@@ -690,13 +824,22 @@
if (Size)
     {
-      SIZE SafeSize;
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
+      
+      _SEH_TRY
+      {
+         ProbeForWrite(Size,
+                       sizeof(SIZE),
+                       1);
+         Size->cx = dc->wndExtX;
+         Size->cy = dc->wndExtY;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
-      SafeSize.cx = dc->wndExtX;
-      SafeSize.cy = dc->wndExtY;
-
-      Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
       if(!NT_SUCCESS(Status))
       {
         SetLastNtError(Status);
@@ -732,13 +875,22 @@
if (Point)
     {
-      POINT SafePoint;
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
+      
+      _SEH_TRY
+      {
+         ProbeForWrite(Point,
+                       sizeof(POINT),
+                       1);
+         Point->x = dc->wndOrgX;
+         Point->y = dc->wndOrgY;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
-      SafePoint.x = dc->wndOrgX;
-      SafePoint.y = dc->wndOrgY;
-
-      Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
       if(!NT_SUCCESS(Status))
       {
         SetLastNtError(Status);
@@ -762,7 +914,7 @@
                       CONST LPXFORM  XForm)
 {
   PDC  dc;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc (hDC);
   if ( !dc )
@@ -785,7 +937,19 @@
     return  FALSE;
   }
-  Status = MmCopyFromCaller(&dc->w.xformWorld2Wnd, XForm,
sizeof(XFORM));
+  _SEH_TRY
+  {
+    ProbeForRead(XForm,
+                 sizeof(XFORM),
+                 1);
+    dc->w.xformWorld2Wnd = *XForm;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     DC_UnlockDc(dc);
  _____
Modified: trunk/reactos/subsys/win32k/objects/dc.c
--- trunk/reactos/subsys/win32k/objects/dc.c	2005-07-26 11:22:48 UTC
(rev 16737)
+++ trunk/reactos/subsys/win32k/objects/dc.c	2005-07-26 12:22:55 UTC
(rev 16738)
@@ -69,7 +69,7 @@
} \
 BOOL STDCALL NtGdi##FuncName ( HDC hdc, LP##type pt ) \
 { \
-  NTSTATUS Status; \
+  NTSTATUS Status = STATUS_SUCCESS; \
   type Safept; \
   PDC dc; \
   if(!pt) \
@@ -84,7 +84,18 @@
   } \
   Int##FuncName( dc, &Safept); \
   DC_UnlockDc(dc); \
-  Status = MmCopyToCaller(pt, &Safept, sizeof( type )); \
+  _SEH_TRY \
+  { \
+    ProbeForWrite(pt, \
+                  sizeof( type ), \
+                  1); \
+    *pt = Safept; \
+  } \
+  _SEH_HANDLE \
+  { \
+    Status = _SEH_GetExceptionCode(); \
+  } \
+  _SEH_END; \
   if(!NT_SUCCESS(Status)) \
   { \
     SetLastNtError(Status); \
@@ -830,11 +841,25 @@
   UNICODE_STRING SafeDriver, SafeDevice;
   DEVMODEW SafeInitData;
   HDC Ret;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
   {
-    Status = MmCopyFromCaller(&SafeInitData, InitData,
sizeof(DEVMODEW));
+    _SEH_TRY
+    {
+      ProbeForRead(InitData,
+                   sizeof(DEVMODEW),
+                   1);
+      RtlCopyMemory(&SafeInitData,
+                    InitData,
+                    sizeof(DEVMODEW));
+    }
+    _SEH_HANDLE
+    {
+      Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
+
     if(!NT_SUCCESS(Status))
     {
       SetLastNtError(Status);
@@ -878,11 +903,24 @@
   UNICODE_STRING SafeDriver, SafeDevice;
   DEVMODEW SafeInitData;
   HDC Ret;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
   {
-    Status = MmCopyFromCaller(&SafeInitData, InitData,
sizeof(DEVMODEW));
+    _SEH_TRY
+    {
+      ProbeForRead(InitData,
+                   sizeof(DEVMODEW),
+                   1);
+      RtlCopyMemory(&SafeInitData,
+                    InitData,
+                    sizeof(DEVMODEW));
+    }
+    _SEH_HANDLE
+    {
+      Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
     if(!NT_SUCCESS(Status))
     {
       SetLastNtError(Status);
@@ -1076,7 +1114,7 @@
   BOOL Ret;
   DC *dc;
   POINT SafePoint;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
if(!Point)
   {
@@ -1093,7 +1131,19 @@
Ret = IntGdiGetDCOrgEx(dc, &SafePoint);
-  Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
+  _SEH_TRY
+  {
+    ProbeForWrite(Point,
+                  sizeof(POINT),
+                  1);
+    *Point = SafePoint;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     SetLastNtError(Status);
@@ -1621,12 +1671,30 @@
 {
   INT Ret;
   LPVOID SafeBuf;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
if (count <= 0)
   {
     return 0;
   }
+  
+  _SEH_TRY
+  {
+    ProbeForWrite(buffer,
+                  count,
+                  1);
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+  
+  if(!NT_SUCCESS(Status))
+  {
+    SetLastNtError(Status);
+    return 0;
+  }
SafeBuf = ExAllocatePoolWithTag(PagedPool, count, TAG_GDIOBJ);
   if(!SafeBuf)
@@ -1637,7 +1705,19 @@
Ret = IntGdiGetObject(handle, count, SafeBuf);
-  Status = MmCopyToCaller(buffer, SafeBuf, count);
+  _SEH_TRY
+  {
+    /* pointer already probed! */
+    RtlCopyMemory(buffer,
+                  SafeBuf,
+                  count);
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   ExFreePool(SafeBuf);
   if(!NT_SUCCESS(Status))
   {
  _____
Modified: trunk/reactos/subsys/win32k/objects/fillshap.c
--- trunk/reactos/subsys/win32k/objects/fillshap.c	2005-07-26
11:22:48 UTC (rev 16737)
+++ trunk/reactos/subsys/win32k/objects/fillshap.c	2005-07-26
12:22:55 UTC (rev 16738)
@@ -845,7 +845,7 @@
{
   DC *dc;
   LPPOINT Safept;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
   BOOL Ret = FALSE;
if ( Count < 2 )
@@ -853,6 +853,24 @@
     SetLastWin32Error(ERROR_INVALID_PARAMETER);
     return FALSE;
   }
+  
+  _SEH_TRY
+  {
+    ProbeForRead(UnsafePoints,
+                 Count * sizeof(POINT),
+                 1);
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+  
+  if (!NT_SUCCESS(Status))
+  {
+    SetLastNtError(Status);
+    return FALSE;
+  }
dc = DC_LockDc(hDC);
   if(!dc)
@@ -870,7 +888,19 @@
       SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
     else
     {
-      Status = MmCopyFromCaller(Safept, UnsafePoints, sizeof(POINT) *
Count);
+      _SEH_TRY
+      {
+        /* pointer was already probed! */
+        RtlCopyMemory(Safept,
+                      UnsafePoints,
+                      Count * sizeof(POINT));
+      }
+      _SEH_HANDLE
+      {
+        Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
+
       if(!NT_SUCCESS(Status))
         SetLastNtError(Status);
       else
@@ -913,6 +943,28 @@
if(Count > 0)
   {
+    _SEH_TRY
+    {
+      ProbeForRead(Points,
+                   Count * sizeof(POINT),
+                   1);
+      ProbeForRead(PolyCounts,
+                   Count * sizeof(INT),
+                   1);
+    }
+    _SEH_HANDLE
+    {
+      Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
+
+    if (!NT_SUCCESS(Status))
+    {
+      DC_UnlockDc(dc);
+      SetLastNtError(Status);
+      return FALSE;
+    }
+  
     Safept = ExAllocatePoolWithTag(PagedPool, (sizeof(POINT) +
sizeof(INT)) * Count, TAG_SHAPE);
     if(!Safept)
     {
@@ -922,16 +974,23 @@
     }
SafePolyPoints = (LPINT)&Safept[Count];
-
-    Status = MmCopyFromCaller(Safept, Points, sizeof(POINT) * Count);
-    if(!NT_SUCCESS(Status))
+    
+    _SEH_TRY
     {
-      DC_UnlockDc(dc);
-      ExFreePool(Safept);
-      SetLastNtError(Status);
-      return FALSE;
+      /* pointers already probed! */
+      RtlCopyMemory(Safept,
+                    Points,
+                    Count * sizeof(POINT));
+      RtlCopyMemory(SafePolyPoints,
+                    PolyCounts,
+                    Count * sizeof(INT));
     }
-    Status = MmCopyFromCaller(SafePolyPoints, PolyCounts, sizeof(INT) *
Count);
+    _SEH_HANDLE
+    {
+      Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
+
     if(!NT_SUCCESS(Status))
     {
       DC_UnlockDc(dc);
@@ -1520,7 +1579,7 @@
   PTRIVERTEX SafeVertex;
   PVOID SafeMesh;
   ULONG SizeMesh;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hdc);
   if(!dc)
@@ -1555,6 +1614,28 @@
       SetLastWin32Error(ERROR_INVALID_PARAMETER);
       return FALSE;
   }
+  
+  _SEH_TRY
+  {
+    ProbeForRead(pVertex,
+                 uVertex * sizeof(TRIVERTEX),
+                 1);
+    ProbeForRead(pMesh,
+                 SizeMesh,
+                 1);
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+  
+  if (!NT_SUCCESS(Status))
+  {
+    DC_UnlockDc(dc);
+    SetLastWin32Error(Status);
+    return FALSE;
+  }
if(!(SafeVertex = ExAllocatePoolWithTag(PagedPool, (uVertex *
sizeof(TRIVERTEX)) + SizeMesh, TAG_SHAPE)))
   {
@@ -1562,16 +1643,25 @@
     SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
     return FALSE;
   }
-  Status = MmCopyFromCaller(SafeVertex, pVertex, uVertex *
sizeof(TRIVERTEX));
-  if(!NT_SUCCESS(Status))
+  
+  SafeMesh = (PTRIVERTEX)(SafeVertex + uVertex);
+
+  _SEH_TRY
   {
-    DC_UnlockDc(dc);
-    ExFreePool(SafeVertex);
-    SetLastNtError(Status);
-    return FALSE;
+    /* pointers were already probed! */
+    RtlCopyMemory(SafeVertex,
+                  pVertex,
+                  uVertex * sizeof(TRIVERTEX));
+    RtlCopyMemory(SafeMesh,
+                  pMesh,
+                  SizeMesh);
   }
-  SafeMesh = (PTRIVERTEX)(SafeVertex + uVertex);
-  Status = MmCopyFromCaller(SafeMesh, pMesh, SizeMesh);
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+  
   if(!NT_SUCCESS(Status))
   {
     DC_UnlockDc(dc);
  _____
Modified: trunk/reactos/subsys/win32k/objects/line.c
--- trunk/reactos/subsys/win32k/objects/line.c	2005-07-26 11:22:48 UTC
(rev 16737)
+++ trunk/reactos/subsys/win32k/objects/line.c	2005-07-26 12:22:55 UTC
(rev 16738)
@@ -503,7 +503,7 @@
{
   DC *dc;
   POINT SafePoint;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
   BOOL Ret;
dc = DC_LockDc(hDC);
@@ -521,7 +521,19 @@
if(Point)
   {
-    Status = MmCopyFromCaller(&SafePoint, Point, sizeof(POINT));
+    _SEH_TRY
+    {
+      ProbeForRead(Point,
+                   sizeof(POINT),
+                   1);
+      SafePoint = *Point;
+    }
+    _SEH_HANDLE
+    {
+      Status = _SEH_GetExceptionCode();
+    }
+    _SEH_END;
+
     if(!NT_SUCCESS(Status))
     {
       DC_UnlockDc(dc);
@@ -544,7 +556,7 @@
 {
   DC *dc;
   LPPOINT Safept;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
   BOOL Ret;
dc = DC_LockDc(hDC);
@@ -562,6 +574,25 @@
if(Count > 0)
   {
[truncated at 1000 lines; 1059 more skipped]

    