[tfaber] 72871: [WIN32K:NTGDI] - Handle arbitrary-length DEVMODEW structures in NtGdiOpenDCW. Patch by Katayama Hirofumi MZ with small changes by me. CORE-12068 #resolve - Ros-diffs

1 Oct 2016

Author: tfaber
Date: Sat Oct  1 08:25:35 2016
New Revision: 72871

URL: http://svn.reactos.org/svn/reactos?rev=72871&view=rev
Log:
[WIN32K:NTGDI]
- Handle arbitrary-length DEVMODEW structures in NtGdiOpenDCW. Patch by Katayama Hirofumi
MZ with small changes by me.
CORE-12068 #resolve

Modified:
    trunk/reactos/win32ss/gdi/ntgdi/dclife.c

Modified: trunk/reactos/win32ss/gdi/ntgdi/dclife.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dclife.c…
==============================================================================

--- trunk/reactos/win32ss/gdi/ntgdi/dclife.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/dclife.c	[iso-8859-1] Sat Oct  1 08:25:35 2016
@@ -692,9 +692,11 @@
 {
     UNICODE_STRING ustrDevice;
     WCHAR awcDevice[CCHDEVICENAME];
-    DEVMODEW dmInit;
     PVOID dhpdev;
     HDC hdc;
+    WORD dmSize, dmDriverExtra;
+    DWORD Size;
+    DEVMODEW * _SEH2_VOLATILE pdmAllocated = NULL;
 
     /* Only if a devicename is given, we need any data */
     if (pustrDevice)
@@ -711,13 +713,22 @@
             /* Copy the string */
             RtlCopyUnicodeString(&ustrDevice, pustrDevice);
 
+            /* Allocate and store pdmAllocated if pdmInit is not NULL */
             if (pdmInit)
             {
-                /* FIXME: could be larger */
-                /* According to a comment in Windows SDK the size of the buffer for
-                   pdm is (pdm->dmSize + pdm->dmDriverExtra) */
                 ProbeForRead(pdmInit, sizeof(DEVMODEW), 1);
-                RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW));
+
+                dmSize = pdmInit->dmSize;
+                dmDriverExtra = pdmInit->dmDriverExtra;
+                Size = dmSize + dmDriverExtra;
+                ProbeForRead(pdmInit, Size, 1);
+
+                pdmAllocated = ExAllocatePoolWithTag(PagedPool |
POOL_RAISE_IF_ALLOCATION_FAILURE,
+                                                     Size,
+                                                     TAG_DC);
+                RtlCopyMemory(pdmAllocated, pdmInit, Size);
+                pdmAllocated->dmSize = dmSize;
+                pdmAllocated->dmDriverExtra = dmDriverExtra;
             }
 
             if (pUMdhpdev)
@@ -727,6 +738,10 @@
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
+            if (pdmAllocated)
+            {
+                ExFreePoolWithTag(pdmAllocated, TAG_DC);
+            }
             SetLastNtError(_SEH2_GetExceptionCode());
             _SEH2_YIELD(return NULL);
         }
@@ -750,7 +765,7 @@
 
     /* Call the internal function */
     hdc = GreOpenDCW(pustrDevice ? &ustrDevice : NULL,
-                     pdmInit ? &dmInit : NULL,
+                     pdmAllocated,
                      NULL, // FIXME: pwszLogAddress
                      iType,
                      bDisplay,
@@ -773,6 +788,12 @@
             (void)0;
         }
         _SEH2_END
+    }
+
+    /* Free the allocated */
+    if (pdmAllocated)
+    {
+        ExFreePoolWithTag(pdmAllocated, TAG_DC);
     }
 
     return hdc;



    