Rediffed patch from Rein Klazes:winex11.drv:Add pointer check in
X11DRV_SetDIBits
Louis. Lenders
xerox_xerox2000 at yahoo.co.uk
Sun Feb 18 16:18:28 CST 2007
Skipped content of type multipart/alternative-------------- next part --------------
diff --git a/dlls/winex11.drv/dib.c b/dlls/winex11.drv/dib.c
index cec2058..809897e 100644
--- a/dlls/winex11.drv/dib.c
+++ b/dlls/winex11.drv/dib.c
@@ -3861,6 +3861,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
X11DRV_DIB_IMAGEBITS_DESCR descr;
BITMAP bitmap;
LONG width, height, tmpheight;
+ int nrsrcbytes, dibpitch;
INT result;
descr.physDev = physDev;
@@ -3880,6 +3881,16 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
if (startscan + lines > height) lines = height - startscan;
+ /* pointer check */
+ dibpitch = ((width * descr.infoBpp + 31) &~31) / 8;
+ if( descr.compression)
+ nrsrcbytes = 1;
+ else {
+ nrsrcbytes = lines * dibpitch;
+ if( nrsrcbytes < 0) nrsrcbytes = - nrsrcbytes;
+ }
+ if( IsBadReadPtr( bits, nrsrcbytes)) return 0;
+
switch (descr.infoBpp)
{
case 1:
@@ -3926,7 +3937,7 @@ INT X11DRV_SetDIBits( X11DRV_PDEVICE *ph
descr.width = bitmap.bmWidth;
descr.height = lines;
descr.useShm = FALSE;
- descr.dibpitch = ((descr.infoWidth * descr.infoBpp + 31) &~31) / 8;
+ descr.dibpitch = dibpitch;
X11DRV_DIB_Lock( physBitmap, DIB_Status_GdiMod, FALSE );
result = X11DRV_DIB_SetImageBits( &descr );
X11DRV_DIB_Unlock( physBitmap, TRUE );
diff --git a/dlls/winex11.drv/dib_convert.c b/dlls/winex11.drv/dib_convert.c
More information about the wine-patches
mailing list