From c77ad2e9b55ce1ec8c89681a22a3b9af6478b3fc Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Sat, 1 Oct 2016 08:25:35 +0000
Subject: [PATCH] [WIN32K:NTGDI] - Handle arbitrary-length DEVMODEW structures
 in NtGdiOpenDCW. Patch by Katayama Hirofumi MZ with small changes by me.
 CORE-12068 #resolve

svn path=/trunk/; revision=72871
---
 reactos/win32ss/gdi/ntgdi/dclife.c | 33 ++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/reactos/win32ss/gdi/ntgdi/dclife.c b/reactos/win32ss/gdi/ntgdi/dclife.c
index b1c7d521583..647a1b6300e 100644
--- a/reactos/win32ss/gdi/ntgdi/dclife.c
+++ b/reactos/win32ss/gdi/ntgdi/dclife.c
@@ -692,9 +692,11 @@ NtGdiOpenDCW(
 {
     UNICODE_STRING ustrDevice;
     WCHAR awcDevice[CCHDEVICENAME];
-    DEVMODEW dmInit;
     PVOID dhpdev;
     HDC hdc;
+    WORD dmSize, dmDriverExtra;
+    DWORD Size;
+    DEVMODEW * _SEH2_VOLATILE pdmAllocated = NULL;
 
     /* Only if a devicename is given, we need any data */
     if (pustrDevice)
@@ -711,13 +713,22 @@ NtGdiOpenDCW(
             /* Copy the string */
             RtlCopyUnicodeString(&ustrDevice, pustrDevice);
 
+            /* Allocate and store pdmAllocated if pdmInit is not NULL */
             if (pdmInit)
             {
-                /* FIXME: could be larger */
-                /* According to a comment in Windows SDK the size of the buffer for
-                   pdm is (pdm->dmSize + pdm->dmDriverExtra) */
                 ProbeForRead(pdmInit, sizeof(DEVMODEW), 1);
-                RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW));
+
+                dmSize = pdmInit->dmSize;
+                dmDriverExtra = pdmInit->dmDriverExtra;
+                Size = dmSize + dmDriverExtra;
+                ProbeForRead(pdmInit, Size, 1);
+
+                pdmAllocated = ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,
+                                                     Size,
+                                                     TAG_DC);
+                RtlCopyMemory(pdmAllocated, pdmInit, Size);
+                pdmAllocated->dmSize = dmSize;
+                pdmAllocated->dmDriverExtra = dmDriverExtra;
             }
 
             if (pUMdhpdev)
@@ -727,6 +738,10 @@ NtGdiOpenDCW(
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
+            if (pdmAllocated)
+            {
+                ExFreePoolWithTag(pdmAllocated, TAG_DC);
+            }
             SetLastNtError(_SEH2_GetExceptionCode());
             _SEH2_YIELD(return NULL);
         }
@@ -750,7 +765,7 @@ NtGdiOpenDCW(
 
     /* Call the internal function */
     hdc = GreOpenDCW(pustrDevice ? &ustrDevice : NULL,
-                     pdmInit ? &dmInit : NULL,
+                     pdmAllocated,
                      NULL, // FIXME: pwszLogAddress
                      iType,
                      bDisplay,
@@ -775,6 +790,12 @@ NtGdiOpenDCW(
         _SEH2_END
     }
 
+    /* Free the allocated */
+    if (pdmAllocated)
+    {
+        ExFreePoolWithTag(pdmAllocated, TAG_DC);
+    }
+
     return hdc;
 }