From 514147776a7e70636911033ab6c89779b2c8ee1e Mon Sep 17 00:00:00 2001 From: Joachim Henze Date: Sat, 19 Jun 2021 17:41:49 +0200 Subject: [PATCH] [NTGDI] Fix potential BSOD 0x1E CORE-17626 in CreateDIBPalette() when passing invalid arguments to CreateDIBSection. This could be triggered by using the broken test-application "GDIProg". After this patch not only the BSOD is fixed but also the app does properly start up, like it is the case on 2k3sp2. Thanks to the patches author Doug Lyons. --- win32ss/gdi/ntgdi/dibobj.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c index 3d88101c8ab..1ae6e8affa9 100644 --- a/win32ss/gdi/ntgdi/dibobj.c +++ b/win32ss/gdi/ntgdi/dibobj.c @@ -45,6 +45,8 @@ CreateDIBPalette( { PPALETTE ppal; ULONG i, cBitsPixel, cColors; + RGBQUAD rgb; + NTSTATUS Status; if (pbmi->bmiHeader.biSize < sizeof(BITMAPINFOHEADER)) { @@ -133,12 +135,28 @@ CreateDIBPalette( /* Loop all color indices in the DIB */ for (i = 0; i < cColors; i++) { - /* Get the color value and translate it to a COLORREF */ - RGBQUAD rgb = prgb[i]; - COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue); + /* User SEH to verify READ success */ + Status = STATUS_SUCCESS; + _SEH2_TRY + { + rgb = prgb[i]; + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + Status = _SEH2_GetExceptionCode(); + /* On Read Failure, put zero in Palette */ + PALETTE_vSetRGBColorForIndex(ppal, i, 0); + } + _SEH2_END - /* Set the RGB value in the palette */ - PALETTE_vSetRGBColorForIndex(ppal, i, crColor); + if(NT_SUCCESS(Status)) + { + /* Get the color value and translate it to a COLORREF */ + COLORREF crColor = RGB(rgb.rgbRed, rgb.rgbGreen, rgb.rgbBlue); + + /* Set the RGB value in the palette */ + PALETTE_vSetRGBColorForIndex(ppal, i, crColor); + } } } else