From 33ebdeff91b7ad709aae27ca858f6afd9c621f87 Mon Sep 17 00:00:00 2001 From: Joachim Henze Date: Mon, 15 Nov 2021 12:08:14 +0100 Subject: [PATCH] [0.4.9][NTGDI] Fix potential BSOD 0x1E CORE-17626 in CreateDIBPalette() when passing invalid arguments to CreateDIBSection. This could be triggered by using the broken test-application "GDIProg". After this patch not only the BSOD is fixed but also the app does properly start up, like it is the case on 2k3sp2. The problem was unhidden by the innocent and unrelated 0.4.12-dev-266-g 8ab3652c0112d152ba87ea10db15a6837dc89e94 I was not able to trigger the bug in releases older than 0.4.12, but it is rather obvious that the mentioned revision is not really 'guilty', which is why I will port the fix back further into releases even older than 0.4.12 as well. Thanks to the patches author Doug Lyons. a squashed port of: 0.4.15-dev-2734-g 514147776a7e70636911033ab6c89779b2c8ee1e (fixes the BSOD) 0.4.15-dev-2775-g c596fd3ef6933c9eec95a47c807d01d3776bbcc0 (improvement #3758) 0.4.15-dev-2776-g 4130f0b1c5f869614c71818bb7c30447d894afc8 (compilation fix) and some white-space tweaking that was committed after those. --- win32ss/gdi/ntgdi/dibobj.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c index f935bc5d543..0453aaeb747 100644 --- a/win32ss/gdi/ntgdi/dibobj.c +++ b/win32ss/gdi/ntgdi/dibobj.c @@ -127,15 +127,25 @@ CreateDIBPalette( { /* The colors are an array of RGBQUAD values */ RGBQUAD *prgb = (RGBQUAD*)((PCHAR)pbmi + pbmi->bmiHeader.biSize); + RGBQUAD colors[256] = {{0}}; // FIXME: do we need to handle PALETTEINDEX / PALETTERGB macro? - /* Loop all color indices in the DIB */ - for (i = 0; i < cColors; i++) + /* Use SEH to verify we can READ prgb[] succesfully */ + _SEH2_TRY + { + RtlCopyMemory(colors, prgb, cColors * sizeof(colors[0])); + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + /* Do Nothing */ + } + _SEH2_END; + + for (i = 0; i < cColors; ++i) { /* Get the color value and translate it to a COLORREF */ - RGBQUAD rgb = prgb[i]; - COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue); + COLORREF crColor = RGB(colors[i].rgbRed, colors[i].rgbGreen, colors[i].rgbBlue); /* Set the RGB value in the palette */ PALETTE_vSetRGBColorForIndex(ppal, i, crColor); @@ -501,7 +511,7 @@ NtGdiSetDIBitsToDeviceInternal( ret = 0; goto Exit; } - _SEH2_END + _SEH2_END; ScanLines = min(ScanLines, abs(bmi->bmiHeader.biHeight) - StartScan); if (ScanLines == 0) @@ -779,7 +789,7 @@ GreGetDIBitsInternal( Info->bmiHeader.biSizeImage = DIB_GetDIBImageBytes( Info->bmiHeader.biWidth, Info->bmiHeader.biHeight, Info->bmiHeader.biBitCount); - Info->bmiHeader.biCompression = (Info->bmiHeader.biBitCount == 16 || Info->bmiHeader.biBitCount == 32) ? + Info->bmiHeader.biCompression = (Info->bmiHeader.biBitCount == 16 || Info->bmiHeader.biBitCount == 32) ? BI_BITFIELDS : BI_RGB; Info->bmiHeader.biXPelsPerMeter = 0; Info->bmiHeader.biYPelsPerMeter = 0; @@ -1250,7 +1260,7 @@ NtGdiStretchDIBitsInternal( ExFreePoolWithTag(pvBits, 'pmeT'); _SEH2_YIELD(return 0); } - _SEH2_END + _SEH2_END; } else { @@ -1501,7 +1511,7 @@ NtGdiCreateDIBitmapInternal( { Status = _SEH2_GetExceptionCode(); } - _SEH2_END + _SEH2_END; if(!NT_SUCCESS(Status)) { @@ -1683,7 +1693,7 @@ NtGdiCreateDIBSection( { Status = _SEH2_GetExceptionCode(); } - _SEH2_END + _SEH2_END; if(!NT_SUCCESS(Status)) {