Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-27 17:44:45 +00:00
Code Issues Projects Releases Packages Wiki Activity

removed some MmCopyTo/FromCaller calls from win32k's GDI

Browse source 
svn path=/trunk/; revision=16738
This commit is contained in:
Thomas Bluemel 2005-07-26 12:22:55 +00:00
parent e0cd2dc6bf
commit d7702b47f9
10 changed files with 1092 additions and 178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
reactos/subsys/win32k/objects/brush.c
View file

@ -563,7 +563,7 @@ NtGdiCreateDIBBrush(
CONST VOID *PackedDIB)
{
BITMAPINFO *SafeBitmapInfoAndData;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
HBRUSH hBrush;
SafeBitmapInfoAndData = EngAllocMem(0, BitmapInfoSize, 0);
@ -573,10 +573,24 @@ NtGdiCreateDIBBrush(
return NULL;
}
Status = MmCopyFromCaller(SafeBitmapInfoAndData, BitmapInfoAndData,
BitmapInfoSize);
_SEH_TRY
{
ProbeForRead(BitmapInfoAndData,
BitmapInfoSize,
1);
RtlCopyMemory(SafeBitmapInfoAndData,
BitmapInfoAndData,
BitmapInfoSize);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
EngFreeMem(SafeBitmapInfoAndData);
SetLastNtError(Status);
return 0;
}
@ -632,11 +646,23 @@ NtGdiSetBrushOrgEx(HDC hDC, INT XOrg, INT YOrg, LPPOINT Point)
if (Point != NULL)
{
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
POINT SafePoint;
SafePoint.x = dc->w.brushOrgX;
SafePoint.y = dc->w.brushOrgY;
Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
_SEH_TRY
{
ProbeForWrite(Point,
sizeof(POINT),
1);
*Point = SafePoint;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -661,7 +687,7 @@ NtGdiPolyPatBlt(
ULONG Reserved)
{
PPATRECT rb = NULL;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
if (cRects > 0)
@ -672,7 +698,21 @@ NtGdiPolyPatBlt(
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return FALSE;
}
Status = MmCopyFromCaller(rb, pRects, sizeof(PATRECT) * cRects);
_SEH_TRY
{
ProbeForRead(pRects,
cRects * sizeof(PATRECT),
1);
RtlCopyMemory(rb,
pRects,
cRects * sizeof(PATRECT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
ExFreePool(rb);

31
reactos/subsys/win32k/objects/cliprgn.c
View file

@ -192,7 +192,19 @@ int STDCALL NtGdiGetClipBox(HDC hDC,
Ret = IntGdiGetClipBox(hDC, &Saferect);
Status = MmCopyToCaller(rc, &Saferect, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(rc,
sizeof(RECT),
1);
*rc = Saferect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
@ -341,7 +353,7 @@ BOOL STDCALL NtGdiPtVisible(HDC hDC,
BOOL STDCALL NtGdiRectVisible(HDC hDC,
CONST PRECT UnsafeRect)
{
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
PROSRGNDATA Rgn;
PDC dc = DC_LockDc(hDC);
BOOL Result = FALSE;
@ -353,10 +365,23 @@ BOOL STDCALL NtGdiRectVisible(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(UnsafeRect,
sizeof(RECT),
1);
Rect = *UnsafeRect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}

272
reactos/subsys/win32k/objects/coord.c
View file

@ -63,17 +63,29 @@ BOOL STDCALL NtGdiCombineTransform(LPXFORM UnsafeXFormResult,
{
XFORM xformTemp;
XFORM xform1, xform2;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
Status = MmCopyFromCaller( &xform1, Unsafexform1, sizeof(XFORM) );
if(!NT_SUCCESS(Status))
_SEH_TRY
{
SetLastNtError(Status);
return FALSE;
ProbeForWrite(UnsafeXFormResult,
sizeof(XFORM),
1);
ProbeForRead(Unsafexform1,
sizeof(XFORM),
1);
ProbeForRead(Unsafexform2,
sizeof(XFORM),
1);
xform1 = *Unsafexform1;
xform2 = *Unsafexform2;
}
Status = MmCopyFromCaller( &xform2, Unsafexform2, sizeof(XFORM) );
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -83,7 +95,17 @@ BOOL STDCALL NtGdiCombineTransform(LPXFORM UnsafeXFormResult,
Ret = IntGdiCombineTransform(&xformTemp, &xform1, &xform2);
/* Copy the result to xformResult */
Status = MmCopyToCaller( UnsafeXFormResult, &xformTemp, sizeof(XFORM) );
_SEH_TRY
{
/* pointer was already probed! */
*UnsafeXFormResult = xformTemp;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -131,7 +153,7 @@ NtGdiDPtoLP(HDC hDC,
int Count)
{
PDC dc;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
LPPOINT Points;
ULONG Size;
@ -159,7 +181,21 @@ NtGdiDPtoLP(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(Points, UnsafePoints, Size);
_SEH_TRY
{
ProbeForWrite(UnsafePoints,
Size,
1);
RtlCopyMemory(Points,
UnsafePoints,
Size);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -170,7 +206,19 @@ NtGdiDPtoLP(HDC hDC,
IntDPtoLP(dc, Points, Count);
Status = MmCopyToCaller(UnsafePoints, Points, Size);
_SEH_TRY
{
/* pointer was already probed! */
RtlCopyMemory(UnsafePoints,
Points,
Size);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -218,7 +266,7 @@ NtGdiGetWorldTransform(HDC hDC,
LPXFORM XForm)
{
PDC dc;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
if (!dc)
@ -233,7 +281,18 @@ NtGdiGetWorldTransform(HDC hDC,
return FALSE;
}
Status = MmCopyToCaller(XForm, &dc->w.xformWorld2Wnd, sizeof(XFORM));
_SEH_TRY
{
ProbeForWrite(XForm,
sizeof(XFORM),
1);
*XForm = dc->w.xformWorld2Wnd;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
DC_UnlockDc(dc);
return NT_SUCCESS(Status);
@ -280,7 +339,7 @@ BOOL STDCALL
NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
{
PDC dc;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
LPPOINT Points;
ULONG Size;
@ -308,7 +367,21 @@ NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
return FALSE;
}
Status = MmCopyFromCaller(Points, UnsafePoints, Size);
_SEH_TRY
{
ProbeForWrite(UnsafePoints,
Size,
1);
RtlCopyMemory(Points,
UnsafePoints,
Size);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -319,7 +392,19 @@ NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
IntLPtoDP(dc, Points, Count);
Status = MmCopyToCaller(UnsafePoints, Points, Size);
_SEH_TRY
{
/* pointer was already probed! */
RtlCopyMemory(UnsafePoints,
Points,
Size);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -341,7 +426,7 @@ NtGdiModifyWorldTransform(HDC hDC,
{
PDC dc;
XFORM SafeXForm;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hDC);
if (!dc)
@ -357,7 +442,19 @@ NtGdiModifyWorldTransform(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(&SafeXForm, UnsafeXForm, sizeof(XFORM));
_SEH_TRY
{
ProbeForRead(UnsafeXForm,
sizeof(XFORM),
1);
SafeXForm = *UnsafeXForm;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -403,8 +500,7 @@ NtGdiOffsetViewportOrgEx(HDC hDC,
LPPOINT UnsafePoint)
{
PDC dc;
POINT Point;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
if(!dc)
@ -415,9 +511,20 @@ NtGdiOffsetViewportOrgEx(HDC hDC,
if (UnsafePoint)
{
Point.x = dc->vportOrgX;
Point.y = dc->vportOrgY;
Status = MmCopyToCaller(UnsafePoint, &Point, sizeof(POINT));
_SEH_TRY
{
ProbeForWrite(UnsafePoint,
sizeof(POINT),
1);
UnsafePoint->x = dc->vportOrgX;
UnsafePoint->y = dc->vportOrgY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if ( !NT_SUCCESS(Status) )
{
SetLastNtError(Status);
@ -452,13 +559,22 @@ NtGdiOffsetWindowOrgEx(HDC hDC,
if (Point)
{
POINT SafePoint;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForWrite(Point,
sizeof(POINT),
1);
Point->x = dc->wndOrgX;
Point->y = dc->wndOrgY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SafePoint.x = dc->wndOrgX;
SafePoint.y = dc->wndOrgY;
Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -594,13 +710,22 @@ NtGdiSetViewportExtEx(HDC hDC,
if (Size)
{
SIZE SafeSize;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
SafeSize.cx = dc->vportExtX;
SafeSize.cy = dc->vportExtY;
_SEH_TRY
{
ProbeForWrite(Size,
sizeof(SIZE),
1);
Size->cx = dc->vportExtX;
Size->cy = dc->vportExtY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -636,13 +761,22 @@ NtGdiSetViewportOrgEx(HDC hDC,
if (Point)
{
POINT SafePoint;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForWrite(Point,
sizeof(POINT),
1);
Point->x = dc->vportOrgX;
Point->y = dc->vportOrgY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SafePoint.x = dc->vportOrgX;
SafePoint.y = dc->vportOrgY;
Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -690,13 +824,22 @@ NtGdiSetWindowExtEx(HDC hDC,
if (Size)
{
SIZE SafeSize;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForWrite(Size,
sizeof(SIZE),
1);
Size->cx = dc->wndExtX;
Size->cy = dc->wndExtY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SafeSize.cx = dc->wndExtX;
SafeSize.cy = dc->wndExtY;
Status = MmCopyToCaller(Size, &SafeSize, sizeof(SIZE));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -732,13 +875,22 @@ NtGdiSetWindowOrgEx(HDC hDC,
if (Point)
{
POINT SafePoint;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForWrite(Point,
sizeof(POINT),
1);
Point->x = dc->wndOrgX;
Point->y = dc->wndOrgY;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SafePoint.x = dc->wndOrgX;
SafePoint.y = dc->wndOrgY;
Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -762,7 +914,7 @@ NtGdiSetWorldTransform(HDC hDC,
CONST LPXFORM XForm)
{
PDC dc;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc (hDC);
if ( !dc )
@ -785,7 +937,19 @@ NtGdiSetWorldTransform(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(&dc->w.xformWorld2Wnd, XForm, sizeof(XFORM));
_SEH_TRY
{
ProbeForRead(XForm,
sizeof(XFORM),
1);
dc->w.xformWorld2Wnd = *XForm;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);

100
reactos/subsys/win32k/objects/dc.c
View file

@ -69,7 +69,7 @@ VOID FASTCALL Int##FuncName ( PDC dc, LP##type pt) \
} \
BOOL STDCALL NtGdi##FuncName ( HDC hdc, LP##type pt ) \
{ \
NTSTATUS Status; \
NTSTATUS Status = STATUS_SUCCESS; \
type Safept; \
PDC dc; \
if(!pt) \
@ -84,7 +84,18 @@ BOOL STDCALL NtGdi##FuncName ( HDC hdc, LP##type pt ) \
} \
Int##FuncName( dc, &Safept); \
DC_UnlockDc(dc); \
Status = MmCopyToCaller(pt, &Safept, sizeof( type )); \
_SEH_TRY \
{ \
ProbeForWrite(pt, \
sizeof( type ), \
1); \
*pt = Safept; \
} \
_SEH_HANDLE \
{ \
Status = _SEH_GetExceptionCode(); \
} \
_SEH_END; \
if(!NT_SUCCESS(Status)) \
{ \
SetLastNtError(Status); \
@ -830,11 +841,25 @@ NtGdiCreateDC(PUNICODE_STRING Driver,
UNICODE_STRING SafeDriver, SafeDevice;
DEVMODEW SafeInitData;
HDC Ret;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
{
Status = MmCopyFromCaller(&SafeInitData, InitData, sizeof(DEVMODEW));
_SEH_TRY
{
ProbeForRead(InitData,
sizeof(DEVMODEW),
1);
RtlCopyMemory(&SafeInitData,
InitData,
sizeof(DEVMODEW));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -878,11 +903,24 @@ NtGdiCreateIC(PUNICODE_STRING Driver,
UNICODE_STRING SafeDriver, SafeDevice;
DEVMODEW SafeInitData;
HDC Ret;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
if(InitData)
{
Status = MmCopyFromCaller(&SafeInitData, InitData, sizeof(DEVMODEW));
_SEH_TRY
{
ProbeForRead(InitData,
sizeof(DEVMODEW),
1);
RtlCopyMemory(&SafeInitData,
InitData,
sizeof(DEVMODEW));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -1076,7 +1114,7 @@ NtGdiGetDCOrgEx(HDC hDC, LPPOINT Point)
BOOL Ret;
DC *dc;
POINT SafePoint;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
if(!Point)
{
@ -1093,7 +1131,19 @@ NtGdiGetDCOrgEx(HDC hDC, LPPOINT Point)
Ret = IntGdiGetDCOrgEx(dc, &SafePoint);
Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
_SEH_TRY
{
ProbeForWrite(Point,
sizeof(POINT),
1);
*Point = SafePoint;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -1621,12 +1671,30 @@ NtGdiGetObject(HANDLE handle, INT count, LPVOID buffer)
{
INT Ret;
LPVOID SafeBuf;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
if (count <= 0)
{
return 0;
}
_SEH_TRY
{
ProbeForWrite(buffer,
count,
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return 0;
}
SafeBuf = ExAllocatePoolWithTag(PagedPool, count, TAG_GDIOBJ);
if(!SafeBuf)
@ -1637,7 +1705,19 @@ NtGdiGetObject(HANDLE handle, INT count, LPVOID buffer)
Ret = IntGdiGetObject(handle, count, SafeBuf);
Status = MmCopyToCaller(buffer, SafeBuf, count);
_SEH_TRY
{
/* pointer already probed! */
RtlCopyMemory(buffer,
SafeBuf,
count);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
ExFreePool(SafeBuf);
if(!NT_SUCCESS(Status))
{

130
reactos/subsys/win32k/objects/fillshap.c
View file

@ -845,7 +845,7 @@ NtGdiPolygon(HDC hDC,
{
DC *dc;
LPPOINT Safept;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret = FALSE;
if ( Count < 2 )
@ -853,6 +853,24 @@ NtGdiPolygon(HDC hDC,
SetLastWin32Error(ERROR_INVALID_PARAMETER);
return FALSE;
}
_SEH_TRY
{
ProbeForRead(UnsafePoints,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return FALSE;
}
dc = DC_LockDc(hDC);
if(!dc)
@ -870,7 +888,19 @@ NtGdiPolygon(HDC hDC,
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
else
{
Status = MmCopyFromCaller(Safept, UnsafePoints, sizeof(POINT) * Count);
_SEH_TRY
{
/* pointer was already probed! */
RtlCopyMemory(Safept,
UnsafePoints,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
SetLastNtError(Status);
else
@ -913,6 +943,28 @@ NtGdiPolyPolygon(HDC hDC,
if(Count > 0)
{
_SEH_TRY
{
ProbeForRead(Points,
Count * sizeof(POINT),
1);
ProbeForRead(PolyCounts,
Count * sizeof(INT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, (sizeof(POINT) + sizeof(INT)) * Count, TAG_SHAPE);
if(!Safept)
{
@ -922,16 +974,23 @@ NtGdiPolyPolygon(HDC hDC,
}
SafePolyPoints = (LPINT)&Safept[Count];
Status = MmCopyFromCaller(Safept, Points, sizeof(POINT) * Count);
if(!NT_SUCCESS(Status))
_SEH_TRY
{
DC_UnlockDc(dc);
ExFreePool(Safept);
SetLastNtError(Status);
return FALSE;
/* pointers already probed! */
RtlCopyMemory(Safept,
Points,
Count * sizeof(POINT));
RtlCopyMemory(SafePolyPoints,
PolyCounts,
Count * sizeof(INT));
}
Status = MmCopyFromCaller(SafePolyPoints, PolyCounts, sizeof(INT) * Count);
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -1520,7 +1579,7 @@ NtGdiGradientFill(
PTRIVERTEX SafeVertex;
PVOID SafeMesh;
ULONG SizeMesh;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc(hdc);
if(!dc)
@ -1555,6 +1614,28 @@ NtGdiGradientFill(
SetLastWin32Error(ERROR_INVALID_PARAMETER);
return FALSE;
}
_SEH_TRY
{
ProbeForRead(pVertex,
uVertex * sizeof(TRIVERTEX),
1);
ProbeForRead(pMesh,
SizeMesh,
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastWin32Error(Status);
return FALSE;
}
if(!(SafeVertex = ExAllocatePoolWithTag(PagedPool, (uVertex * sizeof(TRIVERTEX)) + SizeMesh, TAG_SHAPE)))
{
@ -1562,16 +1643,25 @@ NtGdiGradientFill(
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return FALSE;
}
Status = MmCopyFromCaller(SafeVertex, pVertex, uVertex * sizeof(TRIVERTEX));
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
ExFreePool(SafeVertex);
SetLastNtError(Status);
return FALSE;
}
SafeMesh = (PTRIVERTEX)(SafeVertex + uVertex);
Status = MmCopyFromCaller(SafeMesh, pMesh, SizeMesh);
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(SafeVertex,
pVertex,
uVertex * sizeof(TRIVERTEX));
RtlCopyMemory(SafeMesh,
pMesh,
SizeMesh);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);

203
reactos/subsys/win32k/objects/line.c
View file

@ -503,7 +503,7 @@ NtGdiMoveToEx(HDC hDC,
{
DC *dc;
POINT SafePoint;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -521,7 +521,19 @@ NtGdiMoveToEx(HDC hDC,
if(Point)
{
Status = MmCopyFromCaller(&SafePoint, Point, sizeof(POINT));
_SEH_TRY
{
ProbeForRead(Point,
sizeof(POINT),
1);
SafePoint = *Point;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -544,7 +556,7 @@ NtGdiPolyBezier(HDC hDC,
{
DC *dc;
LPPOINT Safept;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -562,6 +574,25 @@ NtGdiPolyBezier(HDC hDC,
if(Count > 0)
{
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, sizeof(POINT) * Count, TAG_BEZIER);
if(!Safept)
{
@ -570,7 +601,19 @@ NtGdiPolyBezier(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(Safept, pt, sizeof(POINT) * Count);
_SEH_TRY
{
/* pointers were already probed */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -601,7 +644,7 @@ NtGdiPolyBezierTo(HDC hDC,
{
DC *dc;
LPPOINT Safept;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -619,6 +662,25 @@ NtGdiPolyBezierTo(HDC hDC,
if(Count > 0)
{
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, sizeof(POINT) * Count, TAG_BEZIER);
if(!Safept)
{
@ -627,7 +689,19 @@ NtGdiPolyBezierTo(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(Safept, pt, sizeof(POINT) * Count);
_SEH_TRY
{
/* pointers were already probed */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -669,7 +743,7 @@ NtGdiPolyline(HDC hDC,
{
DC *dc;
LPPOINT Safept;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -687,6 +761,25 @@ NtGdiPolyline(HDC hDC,
if(Count >= 2)
{
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, sizeof(POINT) * Count, TAG_SHAPE);
if(!Safept)
{
@ -695,7 +788,19 @@ NtGdiPolyline(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(Safept, pt, sizeof(POINT) * Count);
_SEH_TRY
{
/* pointers were already probed */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -726,7 +831,7 @@ NtGdiPolylineTo(HDC hDC,
{
DC *dc;
LPPOINT Safept;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -744,6 +849,25 @@ NtGdiPolylineTo(HDC hDC,
if(Count > 0)
{
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, sizeof(POINT) * Count, TAG_SHAPE);
if(!Safept)
{
@ -752,7 +876,19 @@ NtGdiPolylineTo(HDC hDC,
return FALSE;
}
Status = MmCopyFromCaller(Safept, pt, sizeof(POINT) * Count);
_SEH_TRY
{
/* pointers were already probed */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
@ -785,7 +921,7 @@ NtGdiPolyPolyline(HDC hDC,
DC *dc;
LPPOINT Safept;
LPDWORD SafePolyPoints;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
dc = DC_LockDc(hDC);
@ -803,6 +939,28 @@ NtGdiPolyPolyline(HDC hDC,
if(Count > 0)
{
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
ProbeForRead(PolyPoints,
Count * sizeof(DWORD),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);
SetLastNtError(Status);
return FALSE;
}
Safept = ExAllocatePoolWithTag(PagedPool, (sizeof(POINT) + sizeof(DWORD)) * Count, TAG_SHAPE);
if(!Safept)
{
@ -812,16 +970,23 @@ NtGdiPolyPolyline(HDC hDC,
}
SafePolyPoints = (LPDWORD)&Safept[Count];
Status = MmCopyFromCaller(Safept, pt, sizeof(POINT) * Count);
if(!NT_SUCCESS(Status))
_SEH_TRY
{
DC_UnlockDc(dc);
ExFreePool(Safept);
SetLastNtError(Status);
return FALSE;
/* pointers were already probed */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
RtlCopyMemory(SafePolyPoints,
PolyPoints,
Count * sizeof(DWORD));
}
Status = MmCopyFromCaller(SafePolyPoints, PolyPoints, sizeof(DWORD) * Count);
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
DC_UnlockDc(dc);

16
reactos/subsys/win32k/objects/pen.c
View file

@ -97,9 +97,21 @@ HPEN STDCALL
NtGdiCreatePenIndirect(CONST PLOGPEN LogPen)
{
LOGPEN SafeLogPen;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
_SEH_TRY
{
ProbeForRead(LogPen,
sizeof(LOGPEN),
1);
SafeLogPen = *LogPen;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
Status = MmCopyFromCaller(&SafeLogPen, LogPen, sizeof(LOGPEN));
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);

71
reactos/subsys/win32k/objects/print.c
View file

@ -154,7 +154,7 @@ NtGdiExtEscape(
PDC pDC = DC_LockDc(hDC);
LPVOID SafeInData = NULL;
LPVOID SafeOutData = NULL;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
INT Result;
if ( pDC == NULL )
@ -170,6 +170,25 @@ NtGdiExtEscape(
if ( InSize && UnsafeInData )
{
_SEH_TRY
{
ProbeForRead(UnsafeInData,
InSize,
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
DC_UnlockDc(pDC);
SetLastNtError(Status);
return -1;
}
SafeInData = ExAllocatePoolWithTag ( PagedPool, InSize, TAG_PRINT );
if ( !SafeInData )
{
@ -177,7 +196,20 @@ NtGdiExtEscape(
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return -1;
}
Status = MmCopyFromCaller ( SafeInData, UnsafeInData, InSize );
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(SafeInData,
UnsafeInData,
InSize);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if ( !NT_SUCCESS(Status) )
{
ExFreePool ( SafeInData );
@ -189,13 +221,32 @@ NtGdiExtEscape(
if ( OutSize && UnsafeOutData )
{
_SEH_TRY
{
ProbeForWrite(UnsafeOutData,
OutSize,
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
goto freeout;
}
SafeOutData = ExAllocatePoolWithTag ( PagedPool, OutSize, TAG_PRINT );
if ( !SafeOutData )
{
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
freeout:
if ( SafeInData )
ExFreePool ( SafeInData );
DC_UnlockDc(pDC);
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return -1;
}
}
@ -209,7 +260,19 @@ NtGdiExtEscape(
if ( SafeOutData )
{
Status = MmCopyToCaller ( UnsafeOutData, SafeOutData, OutSize );
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(UnsafeOutData,
SafeOutData,
OutSize);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
ExFreePool ( SafeOutData );
if ( !NT_SUCCESS(Status) )
{

150
reactos/subsys/win32k/objects/rect.c
View file

@ -35,11 +35,23 @@ BOOL STDCALL
NtGdiSetEmptyRect(PRECT UnsafeRect)
{
RECT Rect;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
IntGdiSetEmptyRect(&Rect);
Status = MmCopyToCaller(UnsafeRect, &Rect, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(UnsafeRect,
sizeof(RECT),
1);
*UnsafeRect = Rect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -59,9 +71,20 @@ BOOL STDCALL
NtGdiIsEmptyRect(const RECT* UnsafeRect)
{
RECT Rect;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(UnsafeRect,
sizeof(RECT),
1);
Rect = *UnsafeRect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -84,9 +107,20 @@ BOOL STDCALL
NtGdiOffsetRect(LPRECT UnsafeRect, INT x, INT y)
{
RECT Rect;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(UnsafeRect,
sizeof(RECT),
1);
Rect = *UnsafeRect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -95,7 +129,18 @@ NtGdiOffsetRect(LPRECT UnsafeRect, INT x, INT y)
IntGdiOffsetRect(&Rect, x, y);
Status = MmCopyToCaller(UnsafeRect, &Rect, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(UnsafeRect,
sizeof(RECT),
1);
*UnsafeRect = Rect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -142,16 +187,25 @@ BOOL STDCALL
NtGdiUnionRect(PRECT UnsafeDest, const RECT* UnsafeSrc1, const RECT* UnsafeSrc2)
{
RECT Dest, Src1, Src2;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
Status = MmCopyFromCaller(&Src1, UnsafeSrc1, sizeof(RECT));
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
return FALSE;
}
Status = MmCopyFromCaller(&Src2, UnsafeSrc2, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(UnsafeSrc1,
sizeof(RECT),
1);
ProbeForRead(UnsafeSrc2,
sizeof(RECT),
1);
Src1 = *UnsafeSrc1;
Src2 = *UnsafeSrc2;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -162,7 +216,18 @@ NtGdiUnionRect(PRECT UnsafeDest, const RECT* UnsafeSrc1, const RECT* UnsafeSrc2)
if (Ret)
{
Status = MmCopyToCaller(UnsafeDest, &Dest, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(UnsafeDest,
sizeof(RECT),
1);
*UnsafeDest = Dest;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -186,11 +251,22 @@ BOOL STDCALL
NtGdiSetRect(PRECT UnsafeRect, INT left, INT top, INT right, INT bottom)
{
RECT Rect;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
IntGdiSetRect(&Rect, left, top, right, bottom);
Status = MmCopyToCaller(UnsafeRect, &Rect, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(UnsafeRect,
sizeof(RECT),
1);
*UnsafeRect = Rect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -223,16 +299,25 @@ BOOL STDCALL
NtGdiIntersectRect(PRECT UnsafeDest, const RECT* UnsafeSrc1, const RECT* UnsafeSrc2)
{
RECT Dest, Src1, Src2;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
BOOL Ret;
Status = MmCopyFromCaller(&Src1, UnsafeSrc1, sizeof(RECT));
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
return FALSE;
}
Status = MmCopyFromCaller(&Src2, UnsafeSrc2, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(UnsafeSrc1,
sizeof(RECT),
1);
ProbeForRead(UnsafeSrc2,
sizeof(RECT),
1);
Src1 = *UnsafeSrc1;
Src2 = *UnsafeSrc2;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -243,7 +328,18 @@ NtGdiIntersectRect(PRECT UnsafeDest, const RECT* UnsafeSrc1, const RECT* UnsafeS
if (Ret)
{
Status = MmCopyToCaller(UnsafeDest, &Dest, sizeof(RECT));
_SEH_TRY
{
ProbeForWrite(UnsafeDest,
sizeof(RECT),
1);
*UnsafeDest = Dest;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(Status))
{
SetLastNtError(Status);

243
reactos/subsys/win32k/objects/region.c
View file

@ -2029,9 +2029,20 @@ STDCALL
NtGdiCreateEllipticRgnIndirect(CONST PRECT Rect)
{
RECT SafeRect;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
Status = MmCopyFromCaller(&SafeRect, Rect, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(Rect,
sizeof(RECT),
1);
SafeRect = *Rect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
@ -2063,9 +2074,20 @@ HRGN STDCALL
NtGdiCreateRectRgnIndirect(CONST PRECT rc)
{
RECT SafeRc;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
Status = MmCopyFromCaller(&SafeRc, rc, sizeof(RECT));
_SEH_TRY
{
ProbeForRead(rc,
sizeof(RECT),
1);
SafeRc = *rc;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
return(NULL);
@ -2229,9 +2251,9 @@ NtGdiExtCreateRegion(CONST XFORM *Xform,
CONST RGNDATA *RgnData)
{
HRGN hRgn;
RGNDATA SafeRgnData;
PROSRGNDATA Region;
NTSTATUS Status;
DWORD nCount = 0;
NTSTATUS Status = STATUS_SUCCESS;
if (Count < FIELD_OFFSET(RGNDATA, Buffer))
{
@ -2239,14 +2261,30 @@ NtGdiExtCreateRegion(CONST XFORM *Xform,
return NULL;
}
Status = MmCopyFromCaller(&SafeRgnData, RgnData, min(Count, sizeof(RGNDATA)));
_SEH_TRY
{
ProbeForRead(RgnData,
Count,
1);
nCount = RgnData->rdh.nCount;
if((Count - FIELD_OFFSET(RGNDATA, Buffer)) / sizeof(RECT) < nCount)
{
Status = STATUS_INVALID_PARAMETER;
_SEH_LEAVE;
}
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastWin32Error(ERROR_INVALID_PARAMETER);
SetLastNtError(Status);
return NULL;
}
hRgn = RGNDATA_AllocRgn(SafeRgnData.rdh.nCount);
hRgn = RGNDATA_AllocRgn(nCount);
if (hRgn == NULL)
{
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
@ -2260,10 +2298,20 @@ NtGdiExtCreateRegion(CONST XFORM *Xform,
return FALSE;
}
RtlCopyMemory(&Region->rdh, &SafeRgnData, FIELD_OFFSET(RGNDATA, Buffer));
Status = MmCopyFromCaller(Region->Buffer, RgnData->Buffer,
Count - FIELD_OFFSET(RGNDATA, Buffer));
_SEH_TRY
{
RtlCopyMemory(&Region->rdh,
RgnData,
FIELD_OFFSET(RGNDATA, Buffer));
RtlCopyMemory(Region->Buffer,
RgnData->Buffer,
Count - FIELD_OFFSET(RGNDATA, Buffer));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastWin32Error(ERROR_INVALID_PARAMETER);
@ -2354,6 +2402,7 @@ NtGdiGetRgnBox(HRGN hRgn,
PROSRGNDATA Rgn;
RECT SafeRect;
DWORD ret;
NTSTATUS Status = STATUS_SUCCESS;
if (!(Rgn = RGNDATA_LockRgn(hRgn)))
{
@ -2367,7 +2416,19 @@ NtGdiGetRgnBox(HRGN hRgn,
return ret;
}
if (!NT_SUCCESS(MmCopyToCaller(pRect, &SafeRect, sizeof(RECT))))
_SEH_TRY
{
ProbeForWrite(pRect,
sizeof(RECT),
1);
*pRect = SafeRect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
return ERROR;
}
@ -2576,15 +2637,30 @@ NtGdiRectInRegion(HRGN hRgn,
PROSRGNDATA Rgn;
RECT rc;
BOOL Ret;
NTSTATUS Status = STATUS_SUCCESS;
if(!(Rgn = RGNDATA_LockRgn(hRgn)))
{
return ERROR;
}
if (!NT_SUCCESS(MmCopyFromCaller(&rc, unsaferc, sizeof(RECT))))
_SEH_TRY
{
ProbeForRead(unsaferc,
sizeof(RECT),
1);
rc = *unsaferc;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
RGNDATA_UnlockRgn(Rgn);
SetLastNtError(Status);
DPRINT1("NtGdiRectInRegion: bogus rc\n");
return ERROR;
}
@ -2635,17 +2711,31 @@ NtGdiUnionRectWithRgn(HRGN hDest, CONST PRECT UnsafeRect)
{
RECT SafeRect;
PROSRGNDATA Rgn;
NTSTATUS Status = STATUS_SUCCESS;
if(!(Rgn = (PROSRGNDATA)RGNDATA_LockRgn(hDest)))
{
SetLastWin32Error(ERROR_INVALID_HANDLE);
return NULL;
}
_SEH_TRY
{
ProbeForRead(UnsafeRect,
sizeof(RECT),
1);
SafeRect = *UnsafeRect;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (! NT_SUCCESS(MmCopyFromCaller(&SafeRect, UnsafeRect, sizeof(RECT))))
if (! NT_SUCCESS(Status))
{
RGNDATA_UnlockRgn(Rgn);
SetLastWin32Error(ERROR_INVALID_PARAMETER);
SetLastNtError(Status);
return NULL;
}
@ -2668,6 +2758,7 @@ DWORD STDCALL NtGdiGetRegionData(HRGN hrgn, DWORD count, LPRGNDATA rgndata)
{
DWORD size;
PROSRGNDATA obj = RGNDATA_LockRgn( hrgn );
NTSTATUS Status = STATUS_SUCCESS;
if(!obj)
return 0;
@ -2681,16 +2772,31 @@ DWORD STDCALL NtGdiGetRegionData(HRGN hrgn, DWORD count, LPRGNDATA rgndata)
else /* user requested buffer size with rgndata NULL */
return size + sizeof(RGNDATAHEADER);
}
//first we copy the header then we copy buffer
if( !NT_SUCCESS( MmCopyToCaller( rgndata, obj, sizeof( RGNDATAHEADER )))){
RGNDATA_UnlockRgn( obj );
return 0;
}
if( !NT_SUCCESS( MmCopyToCaller( (char*)rgndata+sizeof( RGNDATAHEADER ), obj->Buffer, size ))){
RGNDATA_UnlockRgn( obj );
return 0;
}
_SEH_TRY
{
ProbeForWrite(rgndata,
count,
1);
RtlCopyMemory(rgndata,
obj,
sizeof(RGNDATAHEADER));
RtlCopyMemory((PVOID)((ULONG_PTR)rgndata + (ULONG_PTR)sizeof(RGNDATAHEADER)),
obj->Buffer,
size);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
RGNDATA_UnlockRgn( obj );
return 0;
}
RGNDATA_UnlockRgn( obj );
return size + sizeof(RGNDATAHEADER);
@ -3291,7 +3397,7 @@ NtGdiCreatePolygonRgn(CONST PPOINT pt,
INT PolyFillMode)
{
POINT *SafePoints;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
HRGN hRgn;
@ -3329,6 +3435,24 @@ NtGdiCreatePolygonRgn(CONST PPOINT pt,
RGNDATA_UnlockRgn(rgn);
return hRgn;
}
_SEH_TRY
{
ProbeForRead(pt,
Count * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return (HRGN)0;
}
if (!(SafePoints = ExAllocatePoolWithTag(PagedPool, Count * sizeof(POINT), TAG_REGION)))
{
@ -3336,7 +3460,18 @@ NtGdiCreatePolygonRgn(CONST PPOINT pt,
return (HRGN)0;
}
Status = MmCopyFromCaller(SafePoints, pt, Count * sizeof(POINT));
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(SafePoints,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
ExFreePool(SafePoints);
@ -3361,7 +3496,7 @@ NtGdiCreatePolyPolygonRgn(CONST PPOINT pt,
INT *SafePolyCounts;
INT nPoints, nEmpty, nInvalid, i;
HRGN hRgn;
NTSTATUS Status;
NTSTATUS Status = STATUS_SUCCESS;
if (pt == NULL || PolyCounts == NULL || Count == 0 ||
(PolyFillMode != WINDING && PolyFillMode != ALTERNATE))
@ -3369,6 +3504,27 @@ NtGdiCreatePolyPolygonRgn(CONST PPOINT pt,
/* Windows doesn't set a last error here */
return (HRGN)0;
}
_SEH_TRY
{
ProbeForRead(PolyCounts,
Count * sizeof(INT),
1);
ProbeForRead(pt,
nPoints * sizeof(POINT),
1);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return (HRGN)0;
}
if (!(SafePolyCounts = ExAllocatePoolWithTag(PagedPool, Count * sizeof(INT), TAG_REGION)))
{
@ -3376,7 +3532,19 @@ NtGdiCreatePolyPolygonRgn(CONST PPOINT pt,
return (HRGN)0;
}
Status = MmCopyFromCaller(SafePolyCounts, PolyCounts, Count * sizeof(INT));
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(SafePolyCounts,
PolyCounts,
Count * sizeof(INT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
ExFreePool(SafePolyCounts);
@ -3423,7 +3591,18 @@ NtGdiCreatePolyPolygonRgn(CONST PPOINT pt,
return (HRGN)0;
}
Status = MmCopyFromCaller(Safept, pt, nPoints * sizeof(POINT));
_SEH_TRY
{
/* pointers were already probed! */
RtlCopyMemory(Safept,
pt,
Count * sizeof(POINT));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
ExFreePool(Safept);