Author: khornicek Date: Wed Feb 22 10:22:28 2017 New Revision: 73877 URL: http://svn.reactos.org/svn/reactos?rev=73877&view=rev Log: [GDI32] - Fix a possible null pointer dereference in GetGlyphOutlineA. CID 513747 - SetDIBits should not accept null bitmap info at all. CID 513425 - Don't set the pdwResult pointer itself to null in TADC_GetAndSetDCDWord. CID 1321970 Modified: trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c trunk/reactos/win32ss/gdi/gdi32/objects/font.c trunk/reactos/win32ss/gdi/gdi32/wine/rosglue.c Modified: trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/gdi32/objects/… ============================================================================== --- trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/gdi32/objects/bitmap.c [iso-8859-1] Wed Feb 22 10:22:28 2017 @@ -578,16 +578,13 @@ if (!lpvBits || (GDI_HANDLE_GET_TYPE(hBitmap) != GDI_OBJECT_TYPE_BITMAP)) return 0; - if (lpbmi) - { - if (lpbmi->bmiHeader.biSize >= sizeof(BITMAPINFOHEADER)) - { - if (lpbmi->bmiHeader.biCompression == BI_JPEG - || lpbmi->bmiHeader.biCompression == BI_PNG) - { - SetLastError(ERROR_INVALID_PARAMETER); - return 0; - } + if (lpbmi->bmiHeader.biSize >= sizeof(BITMAPINFOHEADER)) + { + if (lpbmi->bmiHeader.biCompression == BI_JPEG + || lpbmi->bmiHeader.biCompression == BI_PNG) + { + SetLastError(ERROR_INVALID_PARAMETER); + return 0; } } Modified: trunk/reactos/win32ss/gdi/gdi32/objects/font.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/gdi32/objects/… ============================================================================== --- trunk/reactos/win32ss/gdi/gdi32/objects/font.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/gdi32/objects/font.c [iso-8859-1] Wed Feb 22 10:22:28 2017 @@ -132,7 +132,11 @@ strW = HeapAlloc(GetProcessHeap(), 0, lenW*sizeof(WCHAR)); if (!strW) return NULL; - MultiByteToWideChar(cp, 0, str, count, strW, lenW); + if(!MultiByteToWideChar(cp, 0, str, count, strW, lenW)) + { + HeapFree(GetProcessHeap(), 0, strW); + return NULL; + } DPRINT("mapped %s -> %S\n", str, strW); if(plenW) *plenW = lenW; if(pCP) *pCP = cp; @@ -1009,6 +1013,8 @@ mbchs[0] = (uChar & 0xff); } p = FONT_mbtowc(hdc, mbchs, len, NULL, NULL); + if(!p) + return GDI_ERROR; c = p[0]; } else Modified: trunk/reactos/win32ss/gdi/gdi32/wine/rosglue.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/gdi/gdi32/wine/ros… ============================================================================== --- trunk/reactos/win32ss/gdi/gdi32/wine/rosglue.c [iso-8859-1] (original) +++ trunk/reactos/win32ss/gdi/gdi32/wine/rosglue.c [iso-8859-1] Wed Feb 22 10:22:28 2017 @@ -1096,7 +1096,7 @@ case GdiGetSetArcDirection: if (GDI_HANDLE_GET_TYPE(physdev->hdc) == GDILoObjType_LO_METADC16_TYPE) - pdwResult = 0; + *pdwResult = 0; else *pdwResult = physdev->funcs->pSetArcDirection(physdev, dwIn); break;