[tkreuzer] 67058: [WIN32K] Check in BltMask if the masking operation would exceed the mask bitmap. Should fix crash when running gdi32_apitest MaskBlt. CORE-9483 - Ros-diffs

5 Apr 2015

Author: tkreuzer
Date: Sun Apr  5 08:40:52 2015
New Revision: 67058
URL: http://svn.reactos.org/svn/reactos?rev=67058&view=rev
Log:
[WIN32K]
Check in BltMask if the masking operation would exceed the mask bitmap. Should fix crash when running gdi32_apitest MaskBlt.
CORE-9483
Modified:
    trunk/reactos/win32ss/gdi/eng/bitblt.c
Modified: trunk/reactos/win32ss/gdi/eng/bitblt.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/bitblt.c?re...
==============================================================================

--- trunk/reactos/win32ss/gdi/eng/bitblt.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/eng/bitblt.c	[iso-8859-1] Sun Apr  5 08:40:52 2015
@@ -51,7 +51,7 @@
         POINTL* pptlBrush,
         ROP4 Rop4)
 {
-    LONG x, y;
+    LONG x, y, cx, cy;
     BYTE *pjMskLine, *pjMskCurrent;
     BYTE fjMaskBit0, fjMaskBit;
     /* Pattern brushes */
@@ -87,6 +87,14 @@
     }
     else
         psoPattern = NULL;
+
+    cx = prclDest->right - prclDest->left;
+    cy = prclDest->bottom - prclDest->top;
+    if ((pptlMask->x + cx > psoMask->sizlBitmap.cx) ||
+        (pptlMask->y + cy > psoMask->sizlBitmap.cy))
+    {
+        return FALSE;
+    }
pjMskLine = (PBYTE)psoMask->pvScan0 + pptlMask->y * psoMask->lDelta + (pptlMask->x >> 3);
     fjMaskBit0 = 0x80 >> (pptlMask->x & 0x07);

    