Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-23 17:05:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

- Patch by Jeffrey Morlan: Fix bounds checking and change NtGdiDoPalette to use a temporary kmode buffer. See Bug 3383.

Browse source 
svn path=/trunk/; revision=34934
This commit is contained in:
James Tabor 2008-07-29 18:11:18 +00:00
parent 4c985ce93a
commit a9cd7fec76
1 changed files with 70 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

123
reactos/subsystems/win32/win32k/objects/color.c
View file

@ -436,18 +436,16 @@ IntGetSystemPaletteEntries(HDC hDC,
{
if (pe != NULL)
{
UINT CopyEntries;
if (StartIndex + Entries < palGDI->NumColors)
CopyEntries = StartIndex + Entries;
else
CopyEntries = palGDI->NumColors - StartIndex;
if (StartIndex >= palGDI->NumColors)
Entries = 0;
else if (Entries > palGDI->NumColors - StartIndex)
Entries = palGDI->NumColors - StartIndex;
memcpy(pe,
palGDI->IndexedColors + StartIndex,
CopyEntries * sizeof(pe[0]));
Entries * sizeof(pe[0]));
Ret = CopyEntries;
Ret = Entries;
}
else
{
@ -837,6 +835,7 @@ NtGdiDoPalette(
IN BOOL bInbound)
{
LONG ret;
LPVOID pEntries = NULL;
/* FIXME: Handle bInbound correctly */
@ -846,58 +845,76 @@ NtGdiDoPalette(
return 0;
}
_SEH_TRY
if (pUnsafeEntries)
{
switch(iFunc)
pEntries = ExAllocatePool(PagedPool, cEntries * sizeof(PALETTEENTRY));
if (!pEntries)
return 0;
if (bInbound)
{
case GdiPalAnimate:
_SEH_TRY
{
ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
ret = IntAnimatePalette((HPALETTE)hObj, iStart, cEntries, pUnsafeEntries);
break;
case GdiPalSetEntries:
ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
ret = IntSetPaletteEntries((HPALETTE)hObj, iStart, cEntries, pUnsafeEntries);
break;
case GdiPalGetEntries:
if (pUnsafeEntries)
{
ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
}
ret = IntGetPaletteEntries((HPALETTE)hObj, iStart, cEntries, pUnsafeEntries);
break;
case GdiPalGetSystemEntries:
if (pUnsafeEntries)
{
ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
}
ret = IntGetSystemPaletteEntries((HDC)hObj, iStart, cEntries, pUnsafeEntries);
break;
case GdiPalSetColorTable:
ProbeForRead(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
ret = IntSetDIBColorTable((HDC)hObj, iStart, cEntries, (RGBQUAD*)pUnsafeEntries);
break;
case GdiPalGetColorTable:
if (pUnsafeEntries)
{
ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
}
ret = IntGetDIBColorTable((HDC)hObj, iStart, cEntries, (RGBQUAD*)pUnsafeEntries);
break;
default:
ret = 0;
memcpy(pEntries, pUnsafeEntries, cEntries * sizeof(PALETTEENTRY));
}
_SEH_HANDLE
{
ExFreePool(pEntries);
_SEH_YIELD(return 0);
}
_SEH_END
}
}
_SEH_HANDLE
ret = 0;
switch(iFunc)
{
ret = 0;
case GdiPalAnimate:
if (pEntries)
ret = IntAnimatePalette((HPALETTE)hObj, iStart, cEntries, pEntries);
break;
case GdiPalSetEntries:
if (pEntries)
ret = IntSetPaletteEntries((HPALETTE)hObj, iStart, cEntries, pEntries);
break;
case GdiPalGetEntries:
ret = IntGetPaletteEntries((HPALETTE)hObj, iStart, cEntries, pEntries);
break;
case GdiPalGetSystemEntries:
ret = IntGetSystemPaletteEntries((HDC)hObj, iStart, cEntries, pEntries);
break;
case GdiPalSetColorTable:
if (pEntries)
ret = IntSetDIBColorTable((HDC)hObj, iStart, cEntries, (RGBQUAD*)pEntries);
break;
case GdiPalGetColorTable:
if (pEntries)
ret = IntGetDIBColorTable((HDC)hObj, iStart, cEntries, (RGBQUAD*)pEntries);
break;
}
if (pEntries)
{
if (!bInbound)
{
_SEH_TRY
{
ProbeForWrite(pUnsafeEntries, cEntries * sizeof(PALETTEENTRY), 1);
memcpy(pUnsafeEntries, pEntries, cEntries * sizeof(PALETTEENTRY));
}
_SEH_HANDLE
{
ret = 0;
}
_SEH_END
}
ExFreePool(pEntries);
}
_SEH_END
return ret;
}