Author: jgardou Date: Wed May 26 00:46:57 2010 New Revision: 47355 URL: http://svn.reactos.org/svn/reactos?rev=47355&view=rev Log: [WIN32K] - Check devmode size in NtUserChangeDisplaySettings - Copy memory instead of setting fields in UserEnumDisplaySettings, so we don't lost anything. Modified: branches/reactos-yarotows/subsystems/win32/win32k/ntuser/display.c Modified: branches/reactos-yarotows/subsystems/win32/win32k/ntuser/display.c URL: http://svn.reactos.org/svn/reactos/branches/reactos-yarotows/subsystems/win… ============================================================================== --- branches/reactos-yarotows/subsystems/win32/win32k/ntuser/display.c [iso-8859-1] (original) +++ branches/reactos-yarotows/subsystems/win32/win32k/ntuser/display.c [iso-8859-1] Wed May 26 00:46:57 2010 @@ -648,11 +648,8 @@ cbExtra = lpDevMode->dmDriverExtra; ProbeForWrite(lpDevMode, cbSize + cbExtra, 1); - lpDevMode->dmPelsWidth = pdm->dmPelsWidth; - lpDevMode->dmPelsHeight = pdm->dmPelsHeight; - lpDevMode->dmBitsPerPel = pdm->dmBitsPerPel; - lpDevMode->dmDisplayFrequency = pdm->dmDisplayFrequency; - lpDevMode->dmDisplayFlags = pdm->dmDisplayFlags; + /* Output what we got */ + RtlCopyMemory(lpDevMode, pdm, min(cbSize, pdm->dmSize)); /* output private/extra driver data */ if (cbExtra > 0 && pdm->dmDriverExtra > 0) @@ -703,6 +700,8 @@ return DISP_CHANGE_BADPARAM; } } + else if (pdm->dmSize < FIELD_OFFSET(DEVMODEW, dmFields)) + return DISP_CHANGE_FAILED; else dm = *pdm;