[tkreuzer] 66273: [WIN32K] In NtGdiGetDIBitsInternal limit the size of what is being copied back to to usermode to the cjMaxInfo parameter. Fixes crash of Firefox when downloading files. CORE-8895 ... - Ros-diffs

15 Feb 2015

Author: tkreuzer
Date: Sun Feb 15 00:05:50 2015
New Revision: 66273
URL: http://svn.reactos.org/svn/reactos?rev=66273&view=rev
Log:
[WIN32K]
In NtGdiGetDIBitsInternal limit the size of what is being copied back to to usermode to the cjMaxInfo parameter. Fixes crash of Firefox when downloading files.
CORE-8895 #resolve
Modified:
    trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dibobj.c?...
==============================================================================

--- trunk/reactos/win32ss/gdi/ntgdi/dibobj.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/gdi/ntgdi/dibobj.c	[iso-8859-1] Sun Feb 15 00:05:50 2015
@@ -674,7 +674,7 @@
     RGBQUAD* rgbQuads;
     VOID* colorPtr;
-    DPRINT("Entered NtGdiGetDIBitsInternal()\n");
+    DPRINT("Entered GreGetDIBitsInternal()\n");
if ((Usage && Usage != DIB_PAL_COLORS) || !Info || !hBitmap)
         return 0;
@@ -1090,7 +1090,7 @@
         _SEH2_TRY
         {
             /* Copy the data back */
-            cjMaxInfo = DIB_BitmapInfoSize(pbmi, (WORD)iUsage);
+            cjMaxInfo = min(cjMaxInfo, DIB_BitmapInfoSize(pbmi, (WORD)iUsage));
             ProbeForWrite(pbmiUser, cjMaxInfo, 1);
             RtlCopyMemory(pbmiUser, pbmi, cjMaxInfo);
         }

    