[ros-diffs] [tkreuzer] 54188: [WIN32K] Copy the BITMAPINFO to a safe kernel mode buffer, before accessing it. Fixes bug 6587.

[tkreuzer]

Author: tkreuzer
Date: Tue Oct 18 13:13:37 2011
New Revision: 54188

URL: http://svn.reactos.org/svn/reactos?rev=54188&view=rev
Log:
[WIN32K]
Copy the BITMAPINFO to a safe kernel mode buffer, before accessing it. Fixes 
bug 6587.

Modified:
    trunk/reactos/subsystems/win32/win32k/objects/dibobj.c

Modified: trunk/reactos/subsystems/win32/win32k/objects/dibobj.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/objects/dibobj.c?rev=54188&r1=54187&r2=54188&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] 
(original)
+++ trunk/reactos/subsystems/win32/win32k/objects/dibobj.c [iso-8859-1] Tue Oct 
18 13:13:37 2011
@@ -365,13 +365,19 @@
     EXLATEOBJ exlo;
     PPALETTE ppalDIB = NULL;
     HPALETTE hpalDIB = NULL;
+    LPBITMAPINFO pbmiSafe;
 
     if (!Bits) return 0;
+
+    pbmiSafe = ExAllocatePoolWithTag(PagedPool, cjMaxInfo, 'pmTG');
+    if (!pbmiSafe) return 0;
 
     _SEH2_TRY
     {
         ProbeForRead(bmi, cjMaxInfo, 1);
         ProbeForRead(Bits, cjMaxBits, 1);
+        RtlCopyMemory(pbmiSafe, bmi, cjMaxInfo);
+        bmi = pbmiSafe;
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
@@ -381,19 +387,19 @@
 
     if (!NT_SUCCESS(Status))
     {
-        return 0;
+        goto Exit2;
     }
 
     pDC = DC_LockDc(hDC);
     if (!pDC)
     {
         EngSetLastError(ERROR_INVALID_HANDLE);
-        return 0;
+        goto Exit2;
     }
     if (pDC->dctype == DC_TYPE_INFO)
     {
         DC_UnlockDc(pDC);
-        return 0;
+        goto Exit2;
     }
 
     pSurf = pDC->dclevel.pSurface;
@@ -505,7 +511,8 @@
     if (hSourceBitmap) EngDeleteSurface((HSURF)hSourceBitmap);
     if (hpalDIB) GreDeleteObject(hpalDIB);
     DC_UnlockDc(pDC);
-
+Exit2:
+    ExFreePool(pbmiSafe);
     return ret;
 }