Ignore:
Timestamp:
Feb 11, 2013, 1:01:32 AM (13 years ago)
Author:
dmik
Message:

gdi32: Fix crash in ResetDCW() caused by accessing invalid memory.

The implementation made in r21998 contained bug: it would not copy
driver specific data into an OEM version of the structure which would cause
WGSS to access unallocated memory.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/gdi32/devcontext.cpp

    r21998 r22062  
    431431HDC WIN32API ResetDCW( HDC arg1, const DEVMODEW *  arg2)
    432432{
    433     DEVMODEA devmodea;
    434 
    435     devmodea.dmSpecVersion      = arg2->dmSpecVersion;
    436     devmodea.dmDriverVersion    = arg2->dmDriverVersion;
    437     devmodea.dmSize             = sizeof(DEVMODEW);
    438     devmodea.dmDriverExtra      = arg2->dmDriverExtra;
    439     devmodea.dmFields           = arg2->dmFields;
    440 
    441     devmodea.dmOrientation      = arg2->dmOrientation;
    442         devmodea.dmPaperSize        = arg2->dmPaperSize;
    443         devmodea.dmPaperLength      = arg2->dmPaperLength;
    444     devmodea.dmPaperWidth       = arg2->dmPaperWidth;
    445     devmodea.dmPosition         = arg2->dmPosition;
    446 
    447     devmodea.dmScale            = arg2->dmScale;
    448     devmodea.dmCopies           = arg2->dmCopies;
    449     devmodea.dmDefaultSource    = arg2->dmDefaultSource;
    450     devmodea.dmPrintQuality     = arg2->dmPrintQuality;
    451     devmodea.dmColor            = arg2->dmColor;
    452     devmodea.dmDuplex           = arg2->dmDuplex;
    453     devmodea.dmYResolution      = arg2->dmYResolution;
    454     devmodea.dmTTOption         = arg2->dmTTOption;
    455     devmodea.dmCollate          = arg2->dmCollate;
    456 
    457     devmodea.dmLogPixels        = arg2->dmLogPixels;
    458     devmodea.dmBitsPerPel       = arg2->dmBitsPerPel;
    459     devmodea.dmPelsWidth        = arg2->dmPelsWidth;
    460     devmodea.dmPelsHeight       = arg2->dmPelsHeight;
    461     devmodea.dmDisplayFlags     = arg2->dmDisplayFlags;
    462     devmodea.dmDisplayFrequency = arg2->dmDisplayFrequency;
    463     devmodea.dmICMMethod        = arg2->dmICMMethod;
    464     devmodea.dmICMIntent        = arg2->dmICMIntent;
    465     devmodea.dmMediaType        = arg2->dmMediaType;
    466     devmodea.dmDitherType       = arg2->dmDitherType;
    467     devmodea.dmReserved1        = arg2->dmReserved1;
    468     devmodea.dmReserved2        = arg2->dmReserved2;
    469     devmodea.dmPanningWidth     = arg2->dmPanningWidth;
    470     devmodea.dmPanningHeight    = arg2->dmPanningHeight;
    471 
    472     lstrcpynWtoA(devmodea.dmDeviceName, arg2->dmDeviceName, CCHDEVICENAME);
    473     lstrcpynWtoA(devmodea.dmFormName, arg2->dmFormName, CCHFORMNAME);
    474 
    475     return (HDC)O32_ResetDC(arg1, &devmodea);
     433    PDEVMODEA pdevmodea = (PDEVMODEA)malloc(sizeof(DEVMODEA) + arg2->dmDriverExtra);
     434    if (!pdevmodea)
     435    {
     436        SetLastError(ERROR_NOT_ENOUGH_MEMORY);
     437        return NULL;
     438    }
     439
     440    pdevmodea->dmSpecVersion      = arg2->dmSpecVersion;
     441    pdevmodea->dmDriverVersion    = arg2->dmDriverVersion;
     442    pdevmodea->dmSize             = sizeof(DEVMODEA);
     443    pdevmodea->dmDriverExtra      = arg2->dmDriverExtra;
     444    pdevmodea->dmFields           = arg2->dmFields;
     445
     446    pdevmodea->dmOrientation      = arg2->dmOrientation;
     447    pdevmodea->dmPaperSize        = arg2->dmPaperSize;
     448          pdevmodea->dmPaperLength      = arg2->dmPaperLength;
     449    pdevmodea->dmPaperWidth       = arg2->dmPaperWidth;
     450    pdevmodea->dmPosition         = arg2->dmPosition;
     451
     452    pdevmodea->dmScale            = arg2->dmScale;
     453    pdevmodea->dmCopies           = arg2->dmCopies;
     454    pdevmodea->dmDefaultSource    = arg2->dmDefaultSource;
     455    pdevmodea->dmPrintQuality     = arg2->dmPrintQuality;
     456    pdevmodea->dmColor            = arg2->dmColor;
     457    pdevmodea->dmDuplex           = arg2->dmDuplex;
     458    pdevmodea->dmYResolution      = arg2->dmYResolution;
     459    pdevmodea->dmTTOption         = arg2->dmTTOption;
     460    pdevmodea->dmCollate          = arg2->dmCollate;
     461
     462    pdevmodea->dmLogPixels        = arg2->dmLogPixels;
     463    pdevmodea->dmBitsPerPel       = arg2->dmBitsPerPel;
     464    pdevmodea->dmPelsWidth        = arg2->dmPelsWidth;
     465    pdevmodea->dmPelsHeight       = arg2->dmPelsHeight;
     466    pdevmodea->dmDisplayFlags     = arg2->dmDisplayFlags;
     467    pdevmodea->dmDisplayFrequency = arg2->dmDisplayFrequency;
     468    pdevmodea->dmICMMethod        = arg2->dmICMMethod;
     469    pdevmodea->dmICMIntent        = arg2->dmICMIntent;
     470    pdevmodea->dmMediaType        = arg2->dmMediaType;
     471    pdevmodea->dmDitherType       = arg2->dmDitherType;
     472    pdevmodea->dmReserved1        = arg2->dmReserved1;
     473    pdevmodea->dmReserved2        = arg2->dmReserved2;
     474    pdevmodea->dmPanningWidth     = arg2->dmPanningWidth;
     475    pdevmodea->dmPanningHeight    = arg2->dmPanningHeight;
     476
     477    lstrcpynWtoA(pdevmodea->dmDeviceName, arg2->dmDeviceName, CCHDEVICENAME);
     478    lstrcpynWtoA(pdevmodea->dmFormName, arg2->dmFormName, CCHFORMNAME);
     479
     480    /* copy private driver data */
     481    memcpy(((PBYTE)pdevmodea) + pdevmodea->dmSize, ((PBYTE)arg2) + arg2->dmSize, pdevmodea->dmDriverExtra);
     482
     483    HDC ret = (HDC)O32_ResetDC(arg1, pdevmodea);
     484
     485    free(pdevmodea);
     486
     487    return ret;
    476488}
    477489//******************************************************************************
Note: See TracChangeset for help on using the changeset viewer.