[WIN32K]

Pass cjMaxBits parameter from GreCreateDIBitmapInternal to IntCreateDIBitmap and check the image size before creating the bitmap.
Should fix crash when hitting about tab in Office2000 WinWord.
CORE-10583 #comment please retest

svn path=/trunk/; revision=70412

reactos/win32ss/gdi/ntgdi/dibobj.c

@@ -248,6 +248,7 @@ IntSetDIBits(
     UINT  StartScan,
     UINT  ScanLines,
     CONST VOID  *Bits,
+    ULONG cjMaxBits,
     CONST BITMAPINFO  *bmi,
     UINT  ColorUse)
 {
@@ -261,6 +262,11 @@ IntSetDIBits(
 
     if (!bmi) return 0;
 
+    if (bmi->bmiHeader.biSizeImage > cjMaxBits)
+    {
+        return 0;
+    }
+
     SourceBitmap = GreCreateBitmapEx(bmi->bmiHeader.biWidth,
                                      ScanLines,
                                      0,
@@ -1316,6 +1322,7 @@ IntCreateDIBitmap(
     ULONG compression,
     DWORD init,
     LPBYTE bits,
+    ULONG cjMaxBits,
     PBITMAPINFO data,
     DWORD coloruse)
 {
@@ -1390,7 +1397,7 @@ IntCreateDIBitmap(
 
     if ((NULL != handle) && (CBM_INIT & init))
     {
-        IntSetDIBits(Dc, handle, 0, height, bits, data, coloruse);
+        IntSetDIBits(Dc, handle, 0, height, bits, cjMaxBits, data, coloruse);
     }
 
     return handle;
@@ -1529,7 +1536,7 @@ GreCreateDIBitmapInternal(
         planes = 0;
         compression = 0;
     }
-    Bmp = IntCreateDIBitmap(Dc, cx, cy, planes, bpp, compression, fInit, pjInit, pbmi, iUsage);
+    Bmp = IntCreateDIBitmap(Dc, cx, cy, planes, bpp, compression, fInit, pjInit, cjMaxBits, pbmi, iUsage);
     DC_UnlockDc(Dc);
 
     if(!hDc)