[0.4.14][NTGDI] Fix potential BSOD 0x1E CORE-17626

in CreateDIBPalette() when passing invalid arguments to CreateDIBSection. This could be triggered by using the broken test-application "GDIProg". After this patch not only the BSOD is fixed but also the app does properly start up, like it is the case on 2k3sp2. Thanks to the patches author Doug Lyons. a squashed port of 0.4.15-dev-2776-g 4130f0b1c5 (compilation fix) 0.4.15-dev-2775-g c596fd3ef6 (improvement #3758) 0.4.15-dev-2734-g 514147776a (fixes the BSOD)
2025-02-24 01:15:09 +00:00 · 2021-06-25 12:01:03 +02:00 · 2021-06-25 12:01:03 +02:00 · 38322f9b14
commit 38322f9b14
parent 591b517fc6
1 changed files with 15 additions and 5 deletions
--- a/win32ss/gdi/ntgdi/dibobj.c
+++ b/win32ss/gdi/ntgdi/dibobj.c
@ -127,15 +127,25 @@ CreateDIBPalette(
        {
            /* The colors are an array of RGBQUAD values */
            RGBQUAD *prgb = (RGBQUAD*)((PCHAR)pbmi + pbmi->bmiHeader.biSize);
+            RGBQUAD colors[256] = {{0}};

            // FIXME: do we need to handle PALETTEINDEX / PALETTERGB macro?

-            /* Loop all color indices in the DIB */
-            for (i = 0; i < cColors; i++)
+            /* Use SEH to verify we can READ prgb[] succesfully */
+            _SEH2_TRY
+            {
+                RtlCopyMemory(colors, prgb, cColors * sizeof(colors[0]));
+            }
+            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+            {
+              /* Do Nothing */
+            }
+            _SEH2_END;
+
+            for (i = 0; i < cColors; ++i)
            {
                /* Get the color value and translate it to a COLORREF */
-                RGBQUAD rgb = prgb[i];
-                COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue);
+                COLORREF crColor = RGB(colors[i].rgbRed, colors[i].rgbGreen, colors[i].rgbBlue);

                /* Set the RGB value in the palette */
                PALETTE_vSetRGBColorForIndex(ppal, i, crColor);