From bdd3db1d3db394636fbf071af399a2c2c4a9a36b Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Sun, 30 Sep 2012 22:02:02 +0000
Subject: [PATCH] [WIN32K] Fix the hack, so it doesn't cause overwriting of
 usermode memory.

svn path=/trunk/; revision=57445
---
 reactos/win32ss/gdi/ntgdi/dibobj.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/reactos/win32ss/gdi/ntgdi/dibobj.c b/reactos/win32ss/gdi/ntgdi/dibobj.c
index 81278b44550..edd1308a318 100644
--- a/reactos/win32ss/gdi/ntgdi/dibobj.c
+++ b/reactos/win32ss/gdi/ntgdi/dibobj.c
@@ -1007,6 +1007,7 @@ NtGdiGetDIBitsInternal(
     PBITMAPINFO pbmi;
     HANDLE hSecure = NULL;
     INT iResult = 0;
+    UINT cjAlloc;
 
     /* Check for bad iUsage */
     if (iUsage > 2) return 0;
@@ -1022,10 +1023,10 @@ NtGdiGetDIBitsInternal(
 
     // HACK: the underlying code sucks and doesn't care for the size, so we
     // give it the maximum ever needed
-    cjMaxInfo = sizeof(BITMAPV5HEADER) + 256 * sizeof(RGBQUAD);
+    cjAlloc = sizeof(BITMAPV5HEADER) + 256 * sizeof(RGBQUAD);
 
     /* Allocate a buffer the bitmapinfo */
-    pbmi = ExAllocatePoolWithTag(PagedPool, cjMaxInfo, 'imBG');
+    pbmi = ExAllocatePoolWithTag(PagedPool, cjAlloc, 'imBG');
     if (!pbmi)
     {
         /* Fail */