Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-07 07:52:57 +00:00
Code Issues Projects Releases Packages Wiki Activity

[WIN32K]

Browse source 
Check the size of RLE bitmaps, while decompressing. Fixes possible buffer overrun.
Patch by Kamil Hornicek
CORE-8735 #resolve

svn path=/trunk/; revision=69760
This commit is contained in:
Timo Kreuzer 2015-10-31 20:37:20 +00:00
parent 36d8294a79
commit dcd1e307d8
3 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

3
reactos/win32ss/gdi/eng/eng.h
View file

@ -52,4 +52,5 @@ DecompressBitmap(
BYTE *CompressedBits, BYTE *CompressedBits,
BYTE *UncompressedBits, BYTE *UncompressedBits,
LONG Delta, LONG Delta,
ULONG iFormat); ULONG iFormat,
ULONG cjSizeImage);

6
reactos/win32ss/gdi/eng/rlecomp.c
View file

@ -18,14 +18,14 @@ enum Rle_EscapeCodes
RLE_DELTA = 2 /* Delta */ RLE_DELTA = 2 /* Delta */
}; };
VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format) VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format, ULONG cjSizeImage)
{ {
INT x = 0; INT x = 0;
INT y = Size.cy - 1; INT y = Size.cy - 1;
INT c; INT c;
INT length; INT length;
INT width; INT width;
INT height = Size.cy - 1; INT height = y;
BYTE *begin = CompressedBits; BYTE *begin = CompressedBits;
BYTE *bits = CompressedBits; BYTE *bits = CompressedBits;
BYTE *temp; BYTE *temp;
@ -40,7 +40,7 @@ VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits,
_SEH2_TRY _SEH2_TRY
{ {
while (y >= 0) while (y >= 0 && (bits - begin) <= cjSizeImage)
{ {
length = (*bits++) >> shift; length = (*bits++) >> shift;
if (length) if (length)

5
reactos/win32ss/gdi/ntgdi/bitmaps.c
View file

@ -107,7 +107,6 @@ GreCreateBitmapEx(
pvCompressedBits = pvBits; pvCompressedBits = pvBits;
pvBits = NULL; pvBits = NULL;
iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP; iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP;
cjSizeImage = 0;
} }
/* Allocate a surface */ /* Allocate a surface */
@ -117,7 +116,7 @@ GreCreateBitmapEx(
iFormat, iFormat,
fjBitmap, fjBitmap,
cjWidthBytes, cjWidthBytes,
cjSizeImage, pvCompressedBits ? 0 : cjSizeImage,
pvBits); pvBits);
if (!psurf) if (!psurf)
{ {
@ -136,7 +135,7 @@ GreCreateBitmapEx(
lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]); lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]);
pvBits = psurf->SurfObj.pvBits; pvBits = psurf->SurfObj.pvBits;
DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat); DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat, cjSizeImage);
} }
/* Get the handle for the bitmap */ /* Get the handle for the bitmap */