Author: tkreuzer Date: Sat Oct 31 12:52:01 2015 New Revision: 69748 URL: http://svn.reactos.org/svn/reactos?rev=69748&view=rev Log: [WIN32K] Fix parameter handling in NtGdiDoPalette CORE-9435 #resolve Modified: trunk/reactos/include/psdk/ntgdi.h trunk/reactos/win32ss/gdi/ntgdi/palette.c Modified: trunk/reactos/include/psdk/ntgdi.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/ntgdi.h?rev=6… ============================================================================== --- trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] (original) +++ trunk/reactos/include/psdk/ntgdi.h [iso-8859-1] Sat Oct 31 12:52:01 2015 @@ -439,8 +439,8 @@ _In_ HGDIOBJ hObj, _In_ WORD iStart, _In_ WORD cEntries, - _When_((iFunc == GdiPalGetEntries) || (iFunc == GdiPalGetSystemEntries), _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) - _When_((iFunc != GdiPalGetEntries) && (iFunc != GdiPalGetSystemEntries), _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pEntries, + _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY))) + _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pEntries, _In_ DWORD iFunc, _In_ BOOL bInbound); Modified: trunk/reactos/win32ss/gdi/ntgdi/palette.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/palette.… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/palette.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/palette.c [iso-8859-1] Sat Oct 31 12:52:01 2015 @@ -1055,39 +1055,38 @@ return iResult; } -W32KAPI +__kernel_entry LONG APIENTRY NtGdiDoPalette( - IN HGDIOBJ hObj, - IN WORD iStart, - IN WORD cEntries, - IN LPVOID pUnsafeEntries, - IN DWORD iFunc, - IN BOOL bInbound) + _In_ HGDIOBJ hObj, + _In_ WORD iStart, + _In_ WORD cEntries, + _When_(bInbound!=0, _In_reads_bytes_(cEntries*sizeof(PALETTEENTRY))) + _When_(bInbound==0, _Out_writes_bytes_(cEntries*sizeof(PALETTEENTRY))) LPVOID pUnsafeEntries, + _In_ DWORD iFunc, + _In_ BOOL bInbound) { LONG ret; LPVOID pEntries = NULL; - - /* FIXME: Handle bInbound correctly */ - - if (bInbound && - (pUnsafeEntries == NULL || cEntries == 0)) - { - return 0; - } + SIZE_T cjSize; if (pUnsafeEntries) { - pEntries = ExAllocatePoolWithTag(PagedPool, cEntries * sizeof(PALETTEENTRY), TAG_PALETTE); + if (cEntries == 0) + return 0; + + cjSize = cEntries * sizeof(PALETTEENTRY); + pEntries = ExAllocatePoolWithTag(PagedPool, cjSize, TAG_PALETTE); if (!pEntries) return 0; + if (bInbound) { _SEH2_TRY { - ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1); - memcpy(pEntries, pUnsafeEntries, cEntries * sizeof(PALETTEENTRY)); + ProbeForRead(pUnsafeEntries, cjSize, 1); + memcpy(pEntries, pUnsafeEntries, cjSize); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -1099,7 +1098,7 @@ else { /* Zero it out, so we don't accidentally leak kernel data */ - RtlZeroMemory(pEntries, cEntries * sizeof(PALETTEENTRY)); + RtlZeroMemory(pEntries, cjSize); } } @@ -1137,12 +1136,13 @@ if (pEntries) { - if (!bInbound) + if (!bInbound && (ret > 0)) { + cjSize = min(cEntries, ret) * sizeof(PALETTEENTRY); _SEH2_TRY { - ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1); - memcpy(pUnsafeEntries, pEntries, cEntries * sizeof(PALETTEENTRY)); + ProbeForWrite(pUnsafeEntries, cjSize, 1); + memcpy(pUnsafeEntries, pEntries, cjSize); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {