From 3cacdf6d55d6faf5c272d03c43296a0325ce6e95 Mon Sep 17 00:00:00 2001
From: Eugene Ingerman <geneing@myrealbox.com>
Date: Fri, 14 Mar 2003 22:48:32 +0000
Subject: [PATCH] Added safe copy from user.

svn path=/trunk/; revision=4302
---
 reactos/lib/gdi32/misc/stubs.c        | 16 +------
 reactos/lib/gdi32/objects/dc.c        | 11 ++++-
 reactos/subsys/win32k/ntuser/window.c | 58 +++++++++++++++++++----
 reactos/subsys/win32k/objects/coord.c | 68 ++++++++++++++++++++-------
 4 files changed, 113 insertions(+), 40 deletions(-)

diff --git a/reactos/lib/gdi32/misc/stubs.c b/reactos/lib/gdi32/misc/stubs.c
index 58ffb14cd30..6a7db58d177 100644
--- a/reactos/lib/gdi32/misc/stubs.c
+++ b/reactos/lib/gdi32/misc/stubs.c
@@ -1,4 +1,4 @@
-/* $Id: stubs.c,v 1.13 2003/01/25 23:09:40 ei Exp $
+/* $Id: stubs.c,v 1.14 2003/03/14 22:48:32 ei Exp $
  *
  * reactos/lib/gdi32/misc/stubs.c
  *
@@ -2089,20 +2089,6 @@ DPtoLP(
 
 
 
-BOOL
-STDCALL
-LPtoDP(
-	HDC	a0,
-	LPPOINT	a1,
-	int	a2
-	)
-{
-	SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
-	return FALSE;
-}
-
-
-
 BOOL
 STDCALL
 Polygon(
diff --git a/reactos/lib/gdi32/objects/dc.c b/reactos/lib/gdi32/objects/dc.c
index 47d2dbaffbc..62f1b6219bf 100644
--- a/reactos/lib/gdi32/objects/dc.c
+++ b/reactos/lib/gdi32/objects/dc.c
@@ -197,4 +197,13 @@ RealizePalette(
 }
 
 
-
+BOOL
+STDCALL
+LPtoDP(
+	HDC	a0,
+	LPPOINT	a1,
+	int	a2
+	)
+{
+	return W32kLPtoDP(a0, a1, a2);
+}
diff --git a/reactos/subsys/win32k/ntuser/window.c b/reactos/subsys/win32k/ntuser/window.c
index 72c9109c4a8..c7157468054 100644
--- a/reactos/subsys/win32k/ntuser/window.c
+++ b/reactos/subsys/win32k/ntuser/window.c
@@ -1,4 +1,4 @@
-/* $Id: window.c,v 1.30 2003/03/12 08:26:54 rcampbell Exp $
+/* $Id: window.c,v 1.31 2003/03/14 22:48:32 ei Exp $
  *
  * COPYRIGHT:        See COPYING in the top level directory
  * PROJECT:          ReactOS kernel
@@ -24,9 +24,12 @@
 #include <include/msgqueue.h>
 #include <include/rect.h>
 
-#define NDEBUG
+//#define NDEBUG
+#include <win32k/debug1.h>
 #include <debug.h>
 
+#define TAG_WNAM  TAG('W', 'N', 'A', 'M')
+
 /* FUNCTIONS *****************************************************************/
 
 HWND STDCALL
@@ -156,20 +159,35 @@ W32kReleaseWindowObject(PWINDOW_OBJECT Window)
   ObmDereferenceObject(Window);
 }
 
+/*!
+ * Internal function.
+ * Returns client window rectangle relative to the upper-left corner of client area.
+ *
+ * \note Does not check the validity of the parameters
+*/
 VOID
 W32kGetClientRect(PWINDOW_OBJECT WindowObject, PRECT Rect)
 {
+  ASSERT( WindowObject );
+  ASSERT( Rect );
+
   Rect->left = Rect->top = 0;
   Rect->right = WindowObject->ClientRect.right - WindowObject->ClientRect.left;
   Rect->bottom = 
     WindowObject->ClientRect.bottom - WindowObject->ClientRect.top;
 }
 
+/*!
+ * Internal Function.
+ * Return the dimension of the window in the screen coordinates.
+*/
 BOOL STDCALL
 W32kGetWindowRect(HWND hWnd, LPRECT Rect)
 {
   PWINDOW_OBJECT WindowObject;
 
+  ASSERT( Rect );
+
   WindowObject = W32kGetWindowObject(hWnd);
   if (WindowObject == NULL)
     {
@@ -184,12 +202,31 @@ W32kGetWindowRect(HWND hWnd, LPRECT Rect)
   return(TRUE);
 }
 
+/*!
+ * Return the dimension of the window in the screen coordinates.
+ * \param	hWnd	window handle.
+ * \param	Rect	pointer to the buffer where the coordinates are returned.
+*/
 BOOL STDCALL
 NtUserGetWindowRect(HWND hWnd, LPRECT Rect)
 {
-  return(W32kGetWindowRect(hWnd, Rect));
+  RECT SafeRect;
+  BOOL bRet;
+
+  bRet = W32kGetWindowRect(hWnd, &SafeRect);
+  if (! NT_SUCCESS(MmCopyToCaller(Rect, &SafeRect, sizeof(RECT)))){
+    return(FALSE);
+  }
+  return( bRet );
 }
 
+/*!
+ * Returns client window rectangle relative to the upper-left corner of client area.
+ *
+ * \param	hWnd	window handle.
+ * \param	Rect	pointer to the buffer where the coordinates are returned.
+ *
+*/
 BOOL STDCALL
 NtUserGetClientRect(HWND hWnd, LPRECT Rect)
 {
@@ -230,15 +267,17 @@ HWND
 W32kGetFocusWindow(VOID)
 {
   PUSER_MESSAGE_QUEUE Queue;
-  Queue = (PUSER_MESSAGE_QUEUE)W32kGetActiveDesktop()->ActiveMessageQueue;
+  PDESKTOP_OBJECT pdo = W32kGetActiveDesktop();
+
+  if( !pdo )
+	return NULL;
+
+  Queue = (PUSER_MESSAGE_QUEUE)pdo->ActiveMessageQueue;
+
   if (Queue == NULL)
-    {
       return(NULL);
-    }
   else
-    {
       return(Queue->FocusWindow);
-    }
 }
 
 
@@ -249,6 +288,9 @@ W32kGetWindowProc(HWND Wnd)
   WNDPROC WndProc;
 
   WindowObject = W32kGetWindowObject(Wnd);
+  if( !WindowObject )
+	return NULL;
+
   WndProc = WindowObject->Class->Class.lpfnWndProc;
   W32kReleaseWindowObject(Wnd);
   return(WndProc);
diff --git a/reactos/subsys/win32k/objects/coord.c b/reactos/subsys/win32k/objects/coord.c
index 138294cb5c5..ef78acb2ace 100644
--- a/reactos/subsys/win32k/objects/coord.c
+++ b/reactos/subsys/win32k/objects/coord.c
@@ -1,4 +1,4 @@
-/* $Id: coord.c,v 1.8 2002/07/13 21:37:26 ei Exp $
+/* $Id: coord.c,v 1.9 2003/03/14 22:48:31 ei Exp $
  *
  * COPYRIGHT:        See COPYING in the top level directory
  * PROJECT:          ReactOS kernel
@@ -13,34 +13,38 @@
 #include <ddk/ntddk.h>
 #include <win32k/coord.h>
 #include <win32k/dc.h>
-
 //#define NDEBUG
 #include <win32k/debug1.h>
 
 /* FUNCTIONS *****************************************************************/
 
-BOOL STDCALL W32kCombineTransform(LPXFORM  XFormResult,
-                           CONST LPXFORM  xform1,
-                           CONST LPXFORM  xform2)
+BOOL STDCALL W32kCombineTransform(LPXFORM  UnsafeXFormResult,
+                           CONST LPXFORM  Unsafexform1,
+                           CONST LPXFORM  Unsafexform2)
 {
   XFORM  xformTemp;
+  XFORM  xform1, xform2;
 
   /* Check for illegal parameters */
-  if (!XFormResult || !xform1 || !xform2)
+  if (!UnsafeXFormResult || !Unsafexform1 || !Unsafexform2)
   {
     return  FALSE;
   }
+
+  MmCopyFromCaller( &xform1, Unsafexform1, sizeof(XFORM) );
+  MmCopyFromCaller( &xform2, Unsafexform2, sizeof(XFORM) );
+
   /* Create the result in a temporary XFORM, since xformResult may be
    * equal to xform1 or xform2 */
-  xformTemp.eM11 = xform1->eM11 * xform2->eM11 + xform1->eM12 * xform2->eM21;
-  xformTemp.eM12 = xform1->eM11 * xform2->eM12 + xform1->eM12 * xform2->eM22;
-  xformTemp.eM21 = xform1->eM21 * xform2->eM11 + xform1->eM22 * xform2->eM21;
-  xformTemp.eM22 = xform1->eM21 * xform2->eM12 + xform1->eM22 * xform2->eM22;
-  xformTemp.eDx  = xform1->eDx  * xform2->eM11 + xform1->eDy  * xform2->eM21 + xform2->eDx;
-  xformTemp.eDy  = xform1->eDx  * xform2->eM12 + xform1->eDy  * xform2->eM22 + xform2->eDy;
+  xformTemp.eM11 = xform1.eM11 * xform2.eM11 + xform1.eM12 * xform2.eM21;
+  xformTemp.eM12 = xform1.eM11 * xform2.eM12 + xform1.eM12 * xform2.eM22;
+  xformTemp.eM21 = xform1.eM21 * xform2.eM11 + xform1.eM22 * xform2.eM21;
+  xformTemp.eM22 = xform1.eM21 * xform2.eM12 + xform1.eM22 * xform2.eM22;
+  xformTemp.eDx  = xform1.eDx  * xform2.eM11 + xform1.eDy  * xform2.eM21 + xform2.eDx;
+  xformTemp.eDy  = xform1.eDx  * xform2.eM12 + xform1.eDy  * xform2.eM22 + xform2.eDy;
 
   /* Copy the result to xformResult */
-  *XFormResult = xformTemp;
+  MmCopyToCaller(  UnsafeXFormResult, &xformTemp, sizeof(XFORM) );
 
   return  TRUE;
 }
@@ -57,13 +61,25 @@ FLOAT x, y;
     y * Dc->w.xformVport2World.eM22 + Dc->w.xformVport2World.eDy;
 }
 
+/*!
+ * Converts points from device coordinates into logical coordinates. Conversion depends on the mapping mode,
+ * world transfrom, viewport origin settings for the given device context.
+ * \param	hDC		device context.
+ * \param	Points	an array of POINT structures (in/out).
+ * \param	Count	number of elements in the array of POINT structures.
+ * \return  TRUE 	if success.
+*/
 BOOL STDCALL
 W32kDPtoLP(HDC  hDC,
-	   LPPOINT  Points,
+	   LPPOINT  UnsafePoints,
 	   int  Count)
 {
   PDC Dc;
   ULONG i;
+  LPPOINT Points = (LPPOINT) ExAllocatePool( PagedPool, Count*sizeof(POINT));
+
+  ASSERT(Points);
+  MmCopyFromCaller( Points, UnsafePoints, Count*sizeof(POINT) );
 
   Dc = DC_HandleToPtr (hDC);
   if (Dc == NULL || !Dc->w.vport2WorldValid)
@@ -76,6 +92,8 @@ W32kDPtoLP(HDC  hDC,
       CoordDPtoLP(Dc, &Points[i]);
     }
   DC_ReleasePtr( hDC );
+
+  MmCopyToCaller(  UnsafePoints, Points, Count*sizeof(POINT) );
   return(TRUE);
 }
 
@@ -130,11 +148,23 @@ CoordLPtoDP(PDC Dc, LPPOINT Point)
     y * Dc->w.xformWorld2Vport.eM22 + Dc->w.xformWorld2Vport.eDy;
 }
 
+/*!
+ * Converts points from logical coordinates into device coordinates. Conversion depends on the mapping mode,
+ * world transfrom, viewport origin settings for the given device context.
+ * \param	hDC		device context.
+ * \param	Points	an array of POINT structures (in/out).
+ * \param	Count	number of elements in the array of POINT structures.
+ * \return  TRUE 	if success.
+*/
 BOOL STDCALL
-W32kLPtoDP(HDC hDC, LPPOINT Points, INT Count)
+W32kLPtoDP(HDC hDC, LPPOINT UnsafePoints, INT Count)
 {
   PDC Dc;
   ULONG i;
+  LPPOINT Points = (LPPOINT) ExAllocatePool( PagedPool, Count*sizeof(POINT));
+
+  ASSERT(Points);
+  MmCopyFromCaller( Points, UnsafePoints, Count*sizeof(POINT) );
 
   Dc = DC_HandleToPtr (hDC);
   if (Dc == NULL)
@@ -147,16 +177,22 @@ W32kLPtoDP(HDC hDC, LPPOINT Points, INT Count)
       CoordLPtoDP(Dc, &Points[i]);
     }
   DC_ReleasePtr( hDC );
+  MmCopyToCaller(  UnsafePoints, Points, Count*sizeof(POINT) );
   return(TRUE);
 }
 
 BOOL
 STDCALL
 W32kModifyWorldTransform(HDC  hDC,
-                               CONST LPXFORM  XForm,
+                               CONST LPXFORM  UnsafeXForm,
                                DWORD  Mode)
 {
   PDC  dc;
+  LPXFORM XForm = (LPXFORM) ExAllocatePool( PagedPool, sizeof( XFORM ) );
+
+  ASSERT( XForm );
+
+  MmCopyFromCaller( XForm, UnsafeXForm, sizeof( XFORM ) );
 
   dc = DC_HandleToPtr (hDC);
   if (!dc)