From 8912b7b4c853d1dbfd6ba19836f2c76c10632a64 Mon Sep 17 00:00:00 2001
From: Jeffrey Morlan <mrnobo1024@yahoo.com>
Date: Fri, 4 Jul 2008 00:05:31 +0000
Subject: [PATCH] - BITMAP_Cleanup: Fix leak of DIBSECTION structure; remove
 redundant ifs. - NtGdi(Get|Set)BitmapDimension: SEHify; set
 ERROR_INVALID_HANDLE on a bad non-NULL bitmap. - NtGdiGetDCforBitmap: Don't
 crash on bad bitmap.

svn path=/trunk/; revision=34288
---
 .../subsystems/win32/win32k/objects/bitmaps.c | 54 +++++++++++++++----
 1 file changed, 44 insertions(+), 10 deletions(-)

diff --git a/reactos/subsystems/win32/win32k/objects/bitmaps.c b/reactos/subsystems/win32/win32k/objects/bitmaps.c
index e826c068874..95a040f6801 100644
--- a/reactos/subsystems/win32/win32k/objects/bitmaps.c
+++ b/reactos/subsystems/win32/win32k/objects/bitmaps.c
@@ -133,13 +133,11 @@ BITMAP_Cleanup(PVOID ObjectBody)
 	{
 		if (pBmp->dib == NULL)
 		{
-			if (pBmp->SurfObj.pvBits != NULL)
-			    ExFreePool(pBmp->SurfObj.pvBits);
+			ExFreePool(pBmp->SurfObj.pvBits);
 		}
 		else
 		{
-			if (pBmp->SurfObj.pvBits != NULL)
-				EngFreeUserMem(pBmp->SurfObj.pvBits);
+			EngFreeUserMem(pBmp->SurfObj.pvBits);
 		}
 		if (pBmp->hDIBPalette != NULL)
 		{
@@ -153,6 +151,9 @@ BITMAP_Cleanup(PVOID ObjectBody)
 		pBmp->BitsLock = NULL;
 	}
 
+	if (pBmp->dib)
+		ExFreePoolWithTag(pBmp->dib, TAG_DIB);
+
 	return TRUE;
 }
 
@@ -218,18 +219,32 @@ NtGdiGetBitmapDimension(
 	LPSIZE  Dimension)
 {
 	PBITMAPOBJ  bmp;
+	BOOL Ret = TRUE;
+
+	if (hBitmap == NULL)
+		return FALSE;
 
 	bmp = BITMAPOBJ_LockBitmap(hBitmap);
 	if (bmp == NULL)
 	{
+		SetLastWin32Error(ERROR_INVALID_HANDLE);
 		return FALSE;
 	}
 
-	*Dimension = bmp->dimension;
+	_SEH_TRY
+	{
+		ProbeForWrite(Dimension, sizeof(SIZE), 1);
+		*Dimension = bmp->dimension;
+	}
+	_SEH_HANDLE
+	{
+		Ret = FALSE;
+	}
+	_SEH_END
 
 	BITMAPOBJ_UnlockBitmap(bmp);
 
-	return  TRUE;
+	return Ret;
 }
 
 COLORREF STDCALL
@@ -504,23 +519,39 @@ NtGdiSetBitmapDimension(
 	LPSIZE  Size)
 {
 	PBITMAPOBJ  bmp;
+	BOOL Ret = TRUE;
+
+	if (hBitmap == NULL)
+		return FALSE;
 
 	bmp = BITMAPOBJ_LockBitmap(hBitmap);
 	if (bmp == NULL)
 	{
+		SetLastWin32Error(ERROR_INVALID_HANDLE);
 		return FALSE;
 	}
 
 	if (Size)
 	{
-		*Size = bmp->dimension;
+		_SEH_TRY
+		{
+			ProbeForWrite(Size, sizeof(SIZE), 1);
+			*Size = bmp->dimension;
+		}
+		_SEH_HANDLE
+		{
+			Ret = FALSE;
+		}
+		_SEH_END
 	}
+
+	/* The dimension is changed even if writing the old value failed */
 	bmp->dimension.cx = Width;
 	bmp->dimension.cy = Height;
 
 	BITMAPOBJ_UnlockBitmap (bmp);
 
-	return TRUE;
+	return Ret;
 }
 
 BOOL STDCALL
@@ -746,8 +777,11 @@ NtGdiGetDCforBitmap(
 {
   HDC hDC = NULL;
   PBITMAPOBJ bmp = BITMAPOBJ_LockBitmap( hsurf );
-  hDC = bmp->hDC;
-  BITMAPOBJ_UnlockBitmap( bmp );
+  if (bmp)
+  {
+    hDC = bmp->hDC;
+    BITMAPOBJ_UnlockBitmap( bmp );
+  }
   return hDC;
 }