[WIN32K:NTGDI]

- Handle arbitrary-length DEVMODEW structures in NtGdiOpenDCW. Patch by Katayama Hirofumi MZ with small changes by me. CORE-12068 #resolve svn path=/trunk/; revision=72871
2024-07-01 02:10:07 +00:00 · 2016-10-01 08:25:35 +00:00 · 2016-10-01 08:25:35 +00:00 · c77ad2e9b5
parent c60a62e0de
commit c77ad2e9b5
1 changed files with 27 additions and 6 deletions
--- a/reactos/win32ss/gdi/ntgdi/dclife.c
+++ b/reactos/win32ss/gdi/ntgdi/dclife.c
@ -692,9 +692,11 @@ NtGdiOpenDCW(
 {
    UNICODE_STRING ustrDevice;
    WCHAR awcDevice[CCHDEVICENAME];
-    DEVMODEW dmInit;
    PVOID dhpdev;
    HDC hdc;
+    WORD dmSize, dmDriverExtra;
+    DWORD Size;
+    DEVMODEW * _SEH2_VOLATILE pdmAllocated = NULL;

    /* Only if a devicename is given, we need any data */
    if (pustrDevice)
@ -711,13 +713,22 @@ NtGdiOpenDCW(
            /* Copy the string */
            RtlCopyUnicodeString(&ustrDevice, pustrDevice);

+            /* Allocate and store pdmAllocated if pdmInit is not NULL */
            if (pdmInit)
            {
-                /* FIXME: could be larger */
-                /* According to a comment in Windows SDK the size of the buffer for
-                   pdm is (pdm->dmSize + pdm->dmDriverExtra) */
                ProbeForRead(pdmInit, sizeof(DEVMODEW), 1);
-                RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW));
+
+                dmSize = pdmInit->dmSize;
+                dmDriverExtra = pdmInit->dmDriverExtra;
+                Size = dmSize + dmDriverExtra;
+                ProbeForRead(pdmInit, Size, 1);
+
+                pdmAllocated = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
+                                                     Size,
+                                                     TAG_DC);
+                RtlCopyMemory(pdmAllocated, pdmInit, Size);
+                pdmAllocated->dmSize = dmSize;
+                pdmAllocated->dmDriverExtra = dmDriverExtra;
            }

            if (pUMdhpdev)
@ -727,6 +738,10 @@ NtGdiOpenDCW(
        }
        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
        {
+            if (pdmAllocated)
+            {
+                ExFreePoolWithTag(pdmAllocated, TAG_DC);
+            }
            SetLastNtError(_SEH2_GetExceptionCode());
            _SEH2_YIELD(return NULL);
        }
@ -750,7 +765,7 @@ NtGdiOpenDCW(

    /* Call the internal function */
    hdc = GreOpenDCW(pustrDevice ? &ustrDevice : NULL,
-                     pdmInit ? &dmInit : NULL,
+                     pdmAllocated,
                     NULL, // FIXME: pwszLogAddress
                     iType,
                     bDisplay,
@ -775,6 +790,12 @@ NtGdiOpenDCW(
        _SEH2_END
    }

+    /* Free the allocated */
+    if (pdmAllocated)
+    {
+        ExFreePoolWithTag(pdmAllocated, TAG_DC);
+    }
+
    return hdc;
 }