Author: tkreuzer
Date: Sat Oct 31 20:37:20 2015
New Revision: 69760
URL:
http://svn.reactos.org/svn/reactos?rev=69760&view=rev
Log:
[WIN32K]
Check the size of RLE bitmaps, while decompressing. Fixes possible buffer overrun.
Patch by Kamil Hornicek
CORE-8735 #resolve
Modified:
trunk/reactos/win32ss/gdi/eng/eng.h
trunk/reactos/win32ss/gdi/eng/rlecomp.c
trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c
Modified: trunk/reactos/win32ss/gdi/eng/eng.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/eng.h?rev=…
==============================================================================
--- trunk/reactos/win32ss/gdi/eng/eng.h [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/eng/eng.h [iso-8859-1] Sat Oct 31 20:37:20 2015
@@ -52,4 +52,5 @@
BYTE *CompressedBits,
BYTE *UncompressedBits,
LONG Delta,
- ULONG iFormat);
+ ULONG iFormat,
+ ULONG cjSizeImage);
Modified: trunk/reactos/win32ss/gdi/eng/rlecomp.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/eng/rlecomp.c?…
==============================================================================
--- trunk/reactos/win32ss/gdi/eng/rlecomp.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/eng/rlecomp.c [iso-8859-1] Sat Oct 31 20:37:20 2015
@@ -18,14 +18,14 @@
RLE_DELTA = 2 /* Delta */
};
-VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG
Delta, ULONG Format)
+VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG
Delta, ULONG Format, ULONG cjSizeImage)
{
INT x = 0;
INT y = Size.cy - 1;
INT c;
INT length;
INT width;
- INT height = Size.cy - 1;
+ INT height = y;
BYTE *begin = CompressedBits;
BYTE *bits = CompressedBits;
BYTE *temp;
@@ -40,7 +40,7 @@
_SEH2_TRY
{
- while (y >= 0)
+ while (y >= 0 && (bits - begin) <= cjSizeImage)
{
length = (*bits++) >> shift;
if (length)
Modified: trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/bitmaps.…
==============================================================================
--- trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c [iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/bitmaps.c [iso-8859-1] Sat Oct 31 20:37:20 2015
@@ -107,7 +107,6 @@
pvCompressedBits = pvBits;
pvBits = NULL;
iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP;
- cjSizeImage = 0;
}
/* Allocate a surface */
@@ -117,7 +116,7 @@
iFormat,
fjBitmap,
cjWidthBytes,
- cjSizeImage,
+ pvCompressedBits ? 0 : cjSizeImage,
pvBits);
if (!psurf)
{
@@ -136,7 +135,7 @@
lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]);
pvBits = psurf->SurfObj.pvBits;
- DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat);
+ DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat, cjSizeImage);
}
/* Get the handle for the bitmap */