[tkreuzer] 69748: [WIN32K] Fix parameter handling in NtGdiDoPalette CORE-9435 #resolve - Ros-diffs

31 Oct 2015

Author: tkreuzer
Date: Sat Oct 31 12:52:01 2015
New Revision: 69748
URL: http://svn.reactos.org/svn/reactos?rev=69748&view=rev
Log:
[WIN32K]
Fix parameter handling in NtGdiDoPalette
CORE-9435 #resolve
Modified:
    trunk/reactos/include/psdk/ntgdi.h
    trunk/reactos/win32ss/gdi/ntgdi/palette.c
Modified: trunk/reactos/include/psdk/ntgdi.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/ntgdi.h?rev=69...
==============================================================================

--- trunk/reactos/include/psdk/ntgdi.h	[iso-8859-1] (original)
+++ trunk/reactos/include/psdk/ntgdi.h	[iso-8859-1] Sat Oct 31 12:52:01 2015
@@ -439,8 +439,8 @@
     _In_ HGDIOBJ hObj,
     _In_ WORD iStart,
     _In_ WORD cEntries,
-    _When_((iFunc == GdiPalGetEntries) || (iFunc == GdiPalGetSystemEntries), _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY)))
-    _When_((iFunc != GdiPalGetEntries) && (iFunc != GdiPalGetSystemEntries), _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pEntries,
+    _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY)))
+    _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pEntries,
     _In_ DWORD iFunc,
     _In_ BOOL bInbound);
Modified: trunk/reactos/win32ss/gdi/ntgdi/palette.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/palette.c...
==============================================================================
--- trunk/reactos/win32ss/gdi/ntgdi/palette.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/palette.c	[iso-8859-1] Sat Oct 31 12:52:01 2015
@@ -1055,39 +1055,38 @@
     return iResult;
 }
-W32KAPI
+__kernel_entry
 LONG
 APIENTRY
 NtGdiDoPalette(
-    IN HGDIOBJ hObj,
-    IN WORD iStart,
-    IN WORD cEntries,
-    IN LPVOID pUnsafeEntries,
-    IN DWORD iFunc,
-    IN BOOL bInbound)
+    _In_ HGDIOBJ hObj,
+    _In_ WORD iStart,
+    _In_ WORD cEntries,
+    _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY)))
+    _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pUnsafeEntries,
+    _In_ DWORD iFunc,
+    _In_ BOOL bInbound)
 {
    LONG ret;
    LPVOID pEntries = NULL;
-
-	/* FIXME: Handle bInbound correctly */
-
-	if (bInbound &&
-	    (pUnsafeEntries == NULL || cEntries == 0))
-	{
-		return 0;
-	}
+	SIZE_T cjSize;
if (pUnsafeEntries)
    {
-		pEntries = ExAllocatePoolWithTag(PagedPool, cEntries * sizeof(PALETTEENTRY), TAG_PALETTE);
+		if (cEntries == 0)
+			return 0;
+
+		cjSize = cEntries * sizeof(PALETTEENTRY);
+		pEntries = ExAllocatePoolWithTag(PagedPool, cjSize, TAG_PALETTE);
    	if (!pEntries)
    		return 0;
+
    	if (bInbound)
    	{
    		_SEH2_TRY
    		{
-				ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
-				memcpy(pEntries, pUnsafeEntries, cEntries * sizeof(PALETTEENTRY));
+				ProbeForRead(pUnsafeEntries, cjSize, 1);
+				memcpy(pEntries, pUnsafeEntries, cjSize);
    		}
    		_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    		{
@@ -1099,7 +1098,7 @@
    	else
    	{
    	    /* Zero it out, so we don't accidentally leak kernel data */
-		    RtlZeroMemory(pEntries, cEntries * sizeof(PALETTEENTRY));
+		    RtlZeroMemory(pEntries, cjSize);
    	}
    }
@@ -1137,12 +1136,13 @@
if (pEntries)
    {
-		if (!bInbound)
+		if (!bInbound && (ret > 0))
    	{
+			cjSize = min(cEntries, ret) * sizeof(PALETTEENTRY);
    		_SEH2_TRY
    		{
-				ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
-				memcpy(pUnsafeEntries, pEntries, cEntries * sizeof(PALETTEENTRY));
+				ProbeForWrite(pUnsafeEntries, cjSize, 1);
+				memcpy(pUnsafeEntries, pEntries, cjSize);
    		}
    		_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    		{

    