[tkreuzer] 57445: [WIN32K] Fix the hack, so it doesn't cause overwriting of usermode memory. - Ros-diffs

30 Sep 2012

Author: tkreuzer
Date: Sun Sep 30 22:02:02 2012
New Revision: 57445
URL: http://svn.reactos.org/svn/reactos?rev=57445&view=rev
Log:
[WIN32K]
Fix the hack, so it doesn't cause overwriting of usermode memory.
Modified:
    trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dibobj.c?...
==============================================================================

--- trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] Sun Sep 30 22:02:02 2012
@@ -1007,6 +1007,7 @@
     PBITMAPINFO pbmi;
     HANDLE hSecure = NULL;
     INT iResult = 0;
+    UINT cjAlloc;
/* Check for bad iUsage */
     if (iUsage > 2) return 0;
@@ -1022,10 +1023,10 @@
// HACK: the underlying code sucks and doesn't care for the size, so we
     // give it the maximum ever needed
-    cjMaxInfo = sizeof(BITMAPV5HEADER) + 256 * sizeof(RGBQUAD);
+    cjAlloc = sizeof(BITMAPV5HEADER) + 256 * sizeof(RGBQUAD);
/* Allocate a buffer the bitmapinfo */
-    pbmi = ExAllocatePoolWithTag(PagedPool, cjMaxInfo, 'imBG');
+    pbmi = ExAllocatePoolWithTag(PagedPool, cjAlloc, 'imBG');
     if (!pbmi)
     {
         /* Fail */

    