[WIN32K]

Check the size of RLE bitmaps, while decompressing. Fixes possible buffer overrun. Patch by Kamil Hornicek CORE-8735 #resolve svn path=/trunk/; revision=69760
2024-10-01 23:14:53 +00:00 · 2015-10-31 20:37:20 +00:00 · 2015-10-31 20:37:20 +00:00 · dcd1e307d8
parent 36d8294a79
commit dcd1e307d8
3 changed files with 7 additions and 7 deletions
--- a/reactos/win32ss/gdi/eng/eng.h
+++ b/reactos/win32ss/gdi/eng/eng.h
@ -52,4 +52,5 @@ DecompressBitmap(
    BYTE *CompressedBits,
    BYTE *UncompressedBits,
    LONG Delta,
-    ULONG iFormat);
+    ULONG iFormat,
+    ULONG cjSizeImage);
--- a/reactos/win32ss/gdi/eng/rlecomp.c
+++ b/reactos/win32ss/gdi/eng/rlecomp.c
@ -18,14 +18,14 @@ enum Rle_EscapeCodes
    RLE_DELTA = 2  /* Delta */
 };

-VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format)
+VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format, ULONG cjSizeImage)
 {
    INT x = 0;
    INT y = Size.cy - 1;
    INT c;
    INT length;
    INT width;
-    INT height = Size.cy - 1;
+    INT height = y;
    BYTE *begin = CompressedBits;
    BYTE *bits = CompressedBits;
    BYTE *temp;
@ -40,7 +40,7 @@ VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits,

    _SEH2_TRY
    {
-        while (y >= 0)
+        while (y >= 0 && (bits - begin) <= cjSizeImage)
        {
            length = (*bits++) >> shift;
            if (length)
--- a/reactos/win32ss/gdi/ntgdi/bitmaps.c
+++ b/reactos/win32ss/gdi/ntgdi/bitmaps.c
@ -107,7 +107,6 @@ GreCreateBitmapEx(
        pvCompressedBits = pvBits;
        pvBits = NULL;
        iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP;
-        cjSizeImage = 0;
    }

    /* Allocate a surface */
@ -117,7 +116,7 @@ GreCreateBitmapEx(
                                 iFormat,
                                 fjBitmap,
                                 cjWidthBytes,
-                                 cjSizeImage,
+                                 pvCompressedBits ? 0 : cjSizeImage,
                                 pvBits);
    if (!psurf)
    {
@ -136,7 +135,7 @@ GreCreateBitmapEx(
        lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]);

        pvBits = psurf->SurfObj.pvBits;
-        DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat);
+        DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat, cjSizeImage);
    }

    /* Get the handle for the bitmap */