From e395d953b3e9db721e101473dec60465c65f1745 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Mon, 24 Apr 2017 15:04:00 +0000
Subject: [PATCH] [USER32] Fix heap corruption in EnumDisplaySettingsExA/W: -
 Do not overwrite the user-provided buffer size in dmDriverExtra - Fix broken
 pointer arithmetic CORE-13097

svn path=/trunk/; revision=74403
---
 reactos/win32ss/user/user32/misc/display.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/reactos/win32ss/user/user32/misc/display.c b/reactos/win32ss/user/user32/misc/display.c
index a596ef3627f..7548c8cc595 100644
--- a/reactos/win32ss/user/user32/misc/display.c
+++ b/reactos/win32ss/user/user32/misc/display.c
@@ -238,7 +238,6 @@ EnumDisplaySettingsExA(
         COPYS(dmDeviceName, CCHDEVICENAME);
         COPYN(dmSpecVersion);
         COPYN(dmDriverVersion);
-        COPYN(dmDriverExtra);
         COPYN(dmFields);
         COPYN(dmPosition.x);
         COPYN(dmPosition.y);
@@ -288,7 +287,9 @@ EnumDisplaySettingsExA(
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
 
             /* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
 
         /* If the size of source structure is less, than used, we clean unsupported flags */
@@ -363,14 +364,16 @@ EnumDisplaySettingsExW(
     Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode, dwFlags);
     if (NT_SUCCESS(Status))
     {
-        /* Store old structure size */
+        /* Store old structure sizes */
         WORD OldSize = lpDevMode->dmSize;
+        WORD OldDriverExtra = lpDevMode->dmDriverExtra;
 
         /* Copy general data */
         RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize);
 
-        /* Restore old size */
+        /* Restore old sizes */
         lpDevMode->dmSize = OldSize;
+        lpDevMode->dmDriverExtra = OldDriverExtra;
 
         /* Extra data presented? */
         if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra)
@@ -380,7 +383,9 @@ EnumDisplaySettingsExW(
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
 
             /* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
 
         /* If the size of source structure is less, than used, we clean unsupported flags */