[tkreuzer] 54188: [WIN32K] Copy the BITMAPINFO to a safe kernel mode buffer, before accessing it. Fixes bug 6587. - Ros-diffs

18 Oct 2011

Author: tkreuzer
Date: Tue Oct 18 13:13:37 2011
New Revision: 54188
URL: http://svn.reactos.org/svn/reactos?rev=54188&view=rev
Log:
[WIN32K]
Copy the BITMAPINFO to a safe kernel mode buffer, before accessing it. Fixes bug 6587.
Modified:
    trunk/reactos/subsystems/win32/win32k/objects/dibobj.c
Modified: trunk/reactos/subsystems/win32/win32k/objects/dibobj.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/obj...
==============================================================================

--- trunk/reactos/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] Tue Oct 18 13:13:37 2011
@@ -365,13 +365,19 @@
     EXLATEOBJ exlo;
     PPALETTE ppalDIB = NULL;
     HPALETTE hpalDIB = NULL;
+    LPBITMAPINFO pbmiSafe;
if (!Bits) return 0;
+
+    pbmiSafe = ExAllocatePoolWithTag(PagedPool, cjMaxInfo, 'pmTG');
+    if (!pbmiSafe) return 0;
_SEH2_TRY
     {
         ProbeForRead(bmi, cjMaxInfo, 1);
         ProbeForRead(Bits, cjMaxBits, 1);
+        RtlCopyMemory(pbmiSafe, bmi, cjMaxInfo);
+        bmi = pbmiSafe;
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
@@ -381,19 +387,19 @@
if (!NT_SUCCESS(Status))
     {
-        return 0;
+        goto Exit2;
     }
pDC = DC_LockDc(hDC);
     if (!pDC)
     {
         EngSetLastError(ERROR_INVALID_HANDLE);
-        return 0;
+        goto Exit2;
     }
     if (pDC->dctype == DC_TYPE_INFO)
     {
         DC_UnlockDc(pDC);
-        return 0;
+        goto Exit2;
     }
pSurf = pDC->dclevel.pSurface;
@@ -505,7 +511,8 @@
     if (hSourceBitmap) EngDeleteSurface((HSURF)hSourceBitmap);
     if (hpalDIB) GreDeleteObject(hpalDIB);
     DC_UnlockDc(pDC);
-
+Exit2:
+    ExFreePool(pbmiSafe);
     return ret;
 }

    