From c582ada8599785b32a42e472912fc6cb02583bf0 Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Sun, 7 Jan 2007 21:18:34 +0000
Subject: [PATCH] My first commit! NtGdiExtTextOut: - Unlock dc if failed -
 Copy string from usermode using MmCopyFromCaller

svn path=/trunk/; revision=25352
---
 .../subsystems/win32/win32k/objects/text.c    | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/reactos/subsystems/win32/win32k/objects/text.c b/reactos/subsystems/win32/win32k/objects/text.c
index 3d7857bf84a..be9507706e9 100644
--- a/reactos/subsystems/win32/win32k/objects/text.c
+++ b/reactos/subsystems/win32/win32k/objects/text.c
@@ -1564,7 +1564,7 @@ NtGdiExtTextOut(
    INT YStart,
    UINT fuOptions,
    CONST RECT *lprc,
-   LPCWSTR String,
+   LPCWSTR UnsafeString,
    UINT Count,
    CONST INT *UnsafeDx)
 {
@@ -1610,6 +1610,7 @@ NtGdiExtTextOut(
    INT *Dx = NULL;
    POINT Start;
    BOOL DoBreak = FALSE;
+   LPCWSTR String, SafeString = NULL;
 
    // TODO: Write test-cases to exactly match real Windows in different
    // bad parameters (e.g. does Windows check the DC or the RECT first?).
@@ -1626,12 +1627,34 @@ NtGdiExtTextOut(
       return TRUE;
    }
 
+	/* Check if String is valid */
+   if ((Count > 0xFFFF) || (Count > 0 && UnsafeString == NULL))
+   {
+      SetLastWin32Error(ERROR_INVALID_PARAMETER);
+      goto fail;
+   }
+   if (Count > 0)
+   {
+      SafeString = ExAllocatePoolWithTag(PagedPool, Count * sizeof(WCHAR), TAG_GDITEXT);
+      if (!SafeString)
+      {
+         goto fail;
+      }
+      Status = MmCopyFromCaller(SafeString, UnsafeString, Count * sizeof(WCHAR));
+      if (! NT_SUCCESS(Status))
+      {
+        goto fail;
+      }
+   }
+   String = SafeString;
+
    if (lprc && (fuOptions & (ETO_OPAQUE | ETO_CLIPPED)))
    {
       // At least one of the two flags were specified. Copy lprc. Once.
       Status = MmCopyFromCaller(&SpecifiedDestRect, lprc, sizeof(RECT));
       if (!NT_SUCCESS(Status))
       {
+         DC_UnlockDc(dc);
          SetLastWin32Error(ERROR_INVALID_PARAMETER);
          return FALSE;
       }
@@ -1994,7 +2017,7 @@ NtGdiExtTextOut(
       {
         DPRINT1("WARNING: EngLockSurface() failed!\n");
         FT_Done_Glyph(realglyph);
-	IntUnLockFreeType;
+        IntUnLockFreeType;
         goto fail;
       }
       SourceGlyphSurf = EngLockSurface((HSURF)HSourceGlyph);
@@ -2071,6 +2094,10 @@ NtGdiExtTextOut(
    }
    BRUSHOBJ_UnlockBrush(BrushFg);
    NtGdiDeleteObject(hBrushFg);
+   if (NULL != SafeString)
+   {
+      ExFreePool((void*)SafeString);
+   }
    if (NULL != Dx)
    {
       ExFreePool(Dx);
@@ -2097,6 +2124,10 @@ fail:
       BRUSHOBJ_UnlockBrush(BrushFg);
       NtGdiDeleteObject(hBrushFg);
    }
+   if (NULL != SafeString)
+   {
+      ExFreePool((void*)SafeString);
+   }
    if (NULL != Dx)
    {
       ExFreePool(Dx);