From c316c1a29fbfd77ecebc5b580acbfaaa4d198706 Mon Sep 17 00:00:00 2001
From: Dmitry Timoshkov <dmitry@codeweavers.com>
Date: Wed, 19 Dec 2007 11:43:05 +0800
Subject: [PATCH] gdi32: In the calculations use a fixed dmSize, not a passed
 in (possibly too large) one.

---
 dlls/gdi32/driver.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/dlls/gdi32/driver.c b/dlls/gdi32/driver.c
index 4d1aaadeafe..a2aa033bd1e 100644
--- a/dlls/gdi32/driver.c
+++ b/dlls/gdi32/driver.c
@@ -411,14 +411,14 @@ BOOL DRIVER_GetDriverName( LPCWSTR device, LPWSTR driver, DWORD size )
 DEVMODEW * WINAPI GdiConvertToDevmodeW(const DEVMODEA *dmA)
 {
     DEVMODEW *dmW;
-    WORD dmW_size;
+    WORD dmW_size, dmA_size;
 
-    dmW_size = dmA->dmSize;
-    if (dmW_size > sizeof(DEVMODEA))
-        dmW_size = sizeof(DEVMODEA);
+    dmA_size = dmA->dmSize;
+    if (dmA_size > sizeof(DEVMODEA))
+        dmA_size = sizeof(DEVMODEA);
 
-    dmW_size += CCHDEVICENAME;
-    if (dmA->dmSize >= FIELD_OFFSET(DEVMODEA, dmFormName) + CCHFORMNAME)
+    dmW_size = dmA_size + CCHDEVICENAME;
+    if (dmA_size >= FIELD_OFFSET(DEVMODEA, dmFormName) + CCHFORMNAME)
         dmW_size += CCHFORMNAME;
 
     dmW = HeapAlloc(GetProcessHeap(), 0, dmW_size + dmA->dmDriverExtra);
@@ -427,18 +427,18 @@ DEVMODEW * WINAPI GdiConvertToDevmodeW(const DEVMODEA *dmA)
     MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmDeviceName, CCHDEVICENAME,
                                    dmW->dmDeviceName, CCHDEVICENAME);
     /* copy slightly more, to avoid long computations */
-    memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA->dmSize - CCHDEVICENAME);
+    memcpy(&dmW->dmSpecVersion, &dmA->dmSpecVersion, dmA_size - CCHDEVICENAME);
 
-    if (dmA->dmSize >= FIELD_OFFSET(DEVMODEA, dmFormName) + CCHFORMNAME)
+    if (dmA_size >= FIELD_OFFSET(DEVMODEA, dmFormName) + CCHFORMNAME)
     {
         MultiByteToWideChar(CP_ACP, 0, (const char*) dmA->dmFormName, CCHFORMNAME,
                                        dmW->dmFormName, CCHFORMNAME);
-        if (dmA->dmSize > FIELD_OFFSET(DEVMODEA, dmLogPixels))
-            memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA->dmSize - FIELD_OFFSET(DEVMODEA, dmLogPixels));
+        if (dmA_size > FIELD_OFFSET(DEVMODEA, dmLogPixels))
+            memcpy(&dmW->dmLogPixels, &dmA->dmLogPixels, dmA_size - FIELD_OFFSET(DEVMODEA, dmLogPixels));
     }
 
     if (dmA->dmDriverExtra)
-        memcpy((char *)dmW + dmW_size, (const char *)dmA + dmA->dmSize, dmA->dmDriverExtra);
+        memcpy((char *)dmW + dmW_size, (const char *)dmA + dmA_size, dmA->dmDriverExtra);
 
     dmW->dmSize = dmW_size;