From ebd0c068095a22db0d5028a7b48d025e825716ad Mon Sep 17 00:00:00 2001
From: Timo Kreuzer <timo.kreuzer@reactos.org>
Date: Sun, 8 Mar 2015 23:36:36 +0000
Subject: [PATCH] [WIN32K] - Pass size in bytes to UnsafeSetBitmapBits from
 NtGdiCreateBitmap - In NtGdiSetBitmapBits check for stock bitmap and non-API
 bitmap.

svn path=/trunk/; revision=66616
---
 reactos/win32ss/gdi/ntgdi/bitmaps.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/reactos/win32ss/gdi/ntgdi/bitmaps.c b/reactos/win32ss/gdi/ntgdi/bitmaps.c
index 37e8ad153d3..ff613d1faa4 100644
--- a/reactos/win32ss/gdi/ntgdi/bitmaps.c
+++ b/reactos/win32ss/gdi/ntgdi/bitmaps.c
@@ -53,6 +53,8 @@ UnsafeSetBitmapBits(
     PUCHAR pjDst, pjSrc;
     LONG lDeltaDst, lDeltaSrc;
     ULONG nWidth, nHeight, cBitsPixel;
+    NT_ASSERT(psurf->flags & API_BITMAP);
+    NT_ASSERT(psurf->SurfObj.iBitmapFormat <= BMF_32BPP);
 
     nWidth = psurf->SurfObj.sizlBitmap.cx;
     nHeight = psurf->SurfObj.sizlBitmap.cy;
@@ -63,8 +65,10 @@ UnsafeSetBitmapBits(
     pjSrc = pvBits;
     lDeltaDst = psurf->SurfObj.lDelta;
     lDeltaSrc = WIDTH_BYTES_ALIGN16(nWidth, cBitsPixel);
+    NT_ASSERT(lDeltaSrc <= abs(lDeltaDst));
 
-    if (cjBits && (cjBits < (lDeltaSrc * nHeight)))
+    /* Make sure the buffer is large enough*/
+    if (cjBits < (lDeltaSrc * nHeight))
         return 0;
 
     while (nHeight--)
@@ -227,7 +231,7 @@ NtGdiCreateBitmap(
         _SEH2_TRY
         {
             ProbeForRead(pUnsafeBits, (SIZE_T)cjSize, 1);
-            UnsafeSetBitmapBits(psurf, 0, pUnsafeBits);
+            UnsafeSetBitmapBits(psurf, cjSize, pUnsafeBits);
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
@@ -568,6 +572,11 @@ NtGdiSetBitmapBits(
         return 0;
     }
 
+    if (GDI_HANDLE_IS_STOCKOBJ(hBitmap))
+    {
+        return 0;
+    }
+
     psurf = SURFACE_ShareLockSurface(hBitmap);
     if (psurf == NULL)
     {
@@ -575,6 +584,17 @@ NtGdiSetBitmapBits(
         return 0;
     }
 
+    if (((psurf->flags & API_BITMAP) == 0) ||
+        (psurf->SurfObj.iBitmapFormat > BMF_32BPP))
+    {
+        DPRINT1("Invalid bitmap: iBitmapFormat = %lu, flags = 0x%lx\n",
+                psurf->SurfObj.iBitmapFormat,
+                psurf->flags);
+        EngSetLastError(ERROR_INVALID_HANDLE);
+        SURFACE_ShareUnlockSurface(psurf);
+        return 0;
+    }
+
     _SEH2_TRY
     {
         ProbeForRead(pUnsafeBits, Bytes, sizeof(WORD));