[WIN32K:ENG] Relax surface parameter validation

tkreuzer · tkreuzer · commit 036f82b75746 · 2026-02-27T16:11:17.000+02:00
If no bitmap buffer size is provided (e.g. allocation path from EngCreateBitmap), do not validate that the size calculation is valid. Should fix some display drivers, like Radeon IGP 320M.
See CORE-13036, CORE-11676
diff --git a/win32ss/gdi/eng/surface.c b/win32ss/gdi/eng/surface.c
@@ -157,17 +157,17 @@ SURFACE_AllocSurface(
     /* Is this an uncompressed format? */
     if (iFormat <= BMF_32BPP)
     {
-        /* Calculate the correct bitmap size in bytes */
-        if (!NT_SUCCESS(RtlULongMult(cjWidth, cy, &cjBits)))
-        {
-            DPRINT1("Overflow calculating size: cjWidth %lu, cy %lu\n",
-                    cjWidth, cy);
-            return NULL;
-        }
-
         /* Did we get a buffer and size? */
         if ((pvBits != NULL) && (cjBufSize != 0))
         {
+            /* Calculate and validate the bitmap size in bytes */
+            if (!NT_SUCCESS(RtlULongMult(cjWidth, cy, &cjBits)))
+            {
+                DPRINT1("Overflow calculating size: cjWidth %lu, cy %lu\n",
+                        cjWidth, cy);
+                return NULL;
+            }
+
             /* Make sure the buffer is large enough */
             if (cjBufSize < cjBits)
             {
@@ -176,6 +176,13 @@ SURFACE_AllocSurface(
                 return NULL;
             }
         }
+        else
+        {
+            /* Do a dumb calculation. Windows doesn't validate this either and
+               some drivers (e.g. Radeon IGP 320M) eplicitly pass bogus values.
+               See CORE-13036. */
+            cjBits = cjWidth * cy;
+        }
     }
     else
     {

Original file line number	Diff line number	Diff line change
`@@ -157,17 +157,17 @@ SURFACE_AllocSurface(`
`157`	`157`	`/* Is this an uncompressed format? */`
`158`	`158`	`if (iFormat <= BMF_32BPP)`
`159`	`159`	`{`
`160`		`- /* Calculate the correct bitmap size in bytes */`
`161`		`- if (!NT_SUCCESS(RtlULongMult(cjWidth, cy, &cjBits)))`
`162`		`- {`
`163`		`- DPRINT1("Overflow calculating size: cjWidth %lu, cy %lu\n",`
`164`		`- cjWidth, cy);`
`165`		`- return NULL;`
`166`		`- }`
`167`		`-`
`168`	`160`	`/* Did we get a buffer and size? */`
`169`	`161`	`if ((pvBits != NULL) && (cjBufSize != 0))`
`170`	`162`	`{`
	`163`	`+ /* Calculate and validate the bitmap size in bytes */`
	`164`	`+ if (!NT_SUCCESS(RtlULongMult(cjWidth, cy, &cjBits)))`
	`165`	`+ {`
	`166`	`+ DPRINT1("Overflow calculating size: cjWidth %lu, cy %lu\n",`
	`167`	`+ cjWidth, cy);`
	`168`	`+ return NULL;`
	`169`	`+ }`
	`170`	`+`
`171`	`171`	`/* Make sure the buffer is large enough */`
`172`	`172`	`if (cjBufSize < cjBits)`
`173`	`173`	`{`
`@@ -176,6 +176,13 @@ SURFACE_AllocSurface(`
`176`	`176`	`return NULL;`
`177`	`177`	`}`
`178`	`178`	`}`
	`179`	`+ else`
	`180`	`+ {`
	`181`	`+ /* Do a dumb calculation. Windows doesn't validate this either and`
	`182`	`+ some drivers (e.g. Radeon IGP 320M) eplicitly pass bogus values.`
	`183`	`+ See CORE-13036. */`
	`184`	`+ cjBits = cjWidth * cy;`
	`185`	`+ }`
`179`	`186`	`}`
`180`	`187`	`else`
`181`	`188`	`{`