From 9b3b1801ed47c34e03bd7fde8273640f0bd7184e Mon Sep 17 00:00:00 2001
From: Kamil Hornicek <kamil.hornicek@reactos.org>
Date: Wed, 22 Feb 2017 10:22:28 +0000
Subject: [PATCH] [GDI32] - Fix a possible null pointer dereference in
 GetGlyphOutlineA. CID 513747 - SetDIBits should not accept null bitmap info
 at all. CID 513425 - Don't set the pdwResult pointer itself to null in
 TADC_GetAndSetDCDWord. CID 1321970

svn path=/trunk/; revision=73877
---
 reactos/win32ss/gdi/gdi32/objects/bitmap.c | 13 +++++--------
 reactos/win32ss/gdi/gdi32/objects/font.c   |  8 +++++++-
 reactos/win32ss/gdi/gdi32/wine/rosglue.c   |  2 +-
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/reactos/win32ss/gdi/gdi32/objects/bitmap.c b/reactos/win32ss/gdi/gdi32/objects/bitmap.c
index 1bbe3924a0f..7ca2bbb9402 100644
--- a/reactos/win32ss/gdi/gdi32/objects/bitmap.c
+++ b/reactos/win32ss/gdi/gdi32/objects/bitmap.c
@@ -578,16 +578,13 @@ SetDIBits(
     if (!lpvBits || (GDI_HANDLE_GET_TYPE(hBitmap) != GDI_OBJECT_TYPE_BITMAP))
         return 0;
 
-    if (lpbmi)
+    if (lpbmi->bmiHeader.biSize >= sizeof(BITMAPINFOHEADER))
     {
-        if (lpbmi->bmiHeader.biSize >= sizeof(BITMAPINFOHEADER))
+        if (lpbmi->bmiHeader.biCompression == BI_JPEG
+            || lpbmi->bmiHeader.biCompression == BI_PNG)
         {
-            if (lpbmi->bmiHeader.biCompression == BI_JPEG
-                || lpbmi->bmiHeader.biCompression == BI_PNG)
-            {
-                SetLastError(ERROR_INVALID_PARAMETER);
-                return 0;
-            }
+            SetLastError(ERROR_INVALID_PARAMETER);
+            return 0;
         }
     }
 
diff --git a/reactos/win32ss/gdi/gdi32/objects/font.c b/reactos/win32ss/gdi/gdi32/objects/font.c
index 01a5dabf25b..4b9e7d865cc 100644
--- a/reactos/win32ss/gdi/gdi32/objects/font.c
+++ b/reactos/win32ss/gdi/gdi32/objects/font.c
@@ -132,7 +132,11 @@ static LPWSTR FONT_mbtowc(HDC hdc, LPCSTR str, INT count, INT *plenW, UINT *pCP)
     strW = HeapAlloc(GetProcessHeap(), 0, lenW*sizeof(WCHAR));
     if (!strW)
         return NULL;
-    MultiByteToWideChar(cp, 0, str, count, strW, lenW);
+    if(!MultiByteToWideChar(cp, 0, str, count, strW, lenW))
+    {
+        HeapFree(GetProcessHeap(), 0, strW);
+        return NULL;
+    }
     DPRINT("mapped %s -> %S\n", str, strW);
     if(plenW) *plenW = lenW;
     if(pCP) *pCP = cp;
@@ -1009,6 +1013,8 @@ GetGlyphOutlineA(
             mbchs[0] = (uChar & 0xff);
         }
         p = FONT_mbtowc(hdc, mbchs, len, NULL, NULL);
+        if(!p)
+            return GDI_ERROR;
         c = p[0];
     }
     else
diff --git a/reactos/win32ss/gdi/gdi32/wine/rosglue.c b/reactos/win32ss/gdi/gdi32/wine/rosglue.c
index edd1c8d57ca..594aa5671fa 100644
--- a/reactos/win32ss/gdi/gdi32/wine/rosglue.c
+++ b/reactos/win32ss/gdi/gdi32/wine/rosglue.c
@@ -1096,7 +1096,7 @@ METADC_GetAndSetDCDWord(
 
         case GdiGetSetArcDirection:
             if (GDI_HANDLE_GET_TYPE(physdev->hdc) == GDILoObjType_LO_METADC16_TYPE)
-                pdwResult = 0;
+                *pdwResult = 0;
             else
                 *pdwResult = physdev->funcs->pSetArcDirection(physdev, dwIn);
             break;