Author: tkreuzer Date: Sun Feb 15 00:05:50 2015 New Revision: 66273 URL: http://svn.reactos.org/svn/reactos?rev=66273&view=rev Log: [WIN32K] In NtGdiGetDIBitsInternal limit the size of what is being copied back to to usermode to the cjMaxInfo parameter. Fixes crash of Firefox when downloading files. CORE-8895 #resolve Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c Modified: trunk/reactos/win32ss/gdi/ntgdi/dibobj.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/ntgdi/dibobj.c… ============================================================================== --- trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/ntgdi/dibobj.c [iso-8859-1] Sun Feb 15 00:05:50 2015 @@ -674,7 +674,7 @@ RGBQUAD* rgbQuads; VOID* colorPtr; - DPRINT("Entered NtGdiGetDIBitsInternal()\n"); + DPRINT("Entered GreGetDIBitsInternal()\n"); if ((Usage && Usage != DIB_PAL_COLORS) || !Info || !hBitmap) return 0; @@ -1090,7 +1090,7 @@ _SEH2_TRY { /* Copy the data back */ - cjMaxInfo = DIB_BitmapInfoSize(pbmi, (WORD)iUsage); + cjMaxInfo = min(cjMaxInfo, DIB_BitmapInfoSize(pbmi, (WORD)iUsage)); ProbeForWrite(pbmiUser, cjMaxInfo, 1); RtlCopyMemory(pbmiUser, pbmi, cjMaxInfo); }