Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-8735

Buffer overrun in win32k!DecompressBitmap when running gdi32!CreateDIBitmap

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 0.4.0
    • Win32SS
    • None

    Description

      Set MmSpecialPoolTag = ' BID'

      Running Wine Test, Module: gdi32, Test: CreateDIBitmap
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      CreateDIBitmap.c:160: Test failed: Wrong last error. Expected 0xbadbad00, got 0x3e6
      CreateDIBitmap.c:172: Test failed: 
      CreateDIBitmap.c:173: Test failed: Wrong last error. Expected 0xbadbad00, got 0x57
      CreateDIBitmap.c:183: Test failed: Wrong last error. Expected 0xbadbad00, got 0x6
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,2,0,1,1) CreateDIBitmap(00000000, 00000000, 0x2, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,2,1,1,1) CreateDIBitmap(00000000, 00000000, 0x2, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,2,2,1,1) CreateDIBitmap(00000000, 00000000, 0x2, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,3,0,1,1) CreateDIBitmap(00000000, 00000000, 0x3, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,3,1,1,1) CreateDIBitmap(00000000, 00000000, 0x3, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,3,2,1,1) CreateDIBitmap(00000000, 00000000, 0x3, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,7,0,1,0) CreateDIBitmap(00000000, 00000000, 0x6, 00000000, 0012FDC4, 0)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,7,0,1,1) CreateDIBitmap(00000000, 00000000, 0x6, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,0,7,1,1,1) CreateDIBitmap(00000000, 00000000, 0x6, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,1,0,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, 0012FD7C, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,1,1,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, 0012FD7C, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,1,2,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, 0012FD7C, 0012FD90, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,2,0,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, C0000000, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,2,1,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, C0000000, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,0,2,2,2) CreateDIBitmap(00000000, 0012FDC4, 0x0, C0000000, 0012FD90, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,1,0,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, 0012FD7C, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,1,1,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, 0012FD7C, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,1,2,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, 0012FD7C, 0012FD90, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,2,0,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, C0000000, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,2,1,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, C0000000, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (0,1,1,2,2,2) CreateDIBitmap(00000000, 0012FDC4, 0x1, C0000000, 0012FD90, 2)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,2,0,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x2, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,2,1,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x2, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,2,2,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x2, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,3,0,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x3, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,3,1,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x3, 0012FD7C, 0012FDC4, 1)
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      (..\..\win32ss\gdi\ntgdi\dibobj.c:275) Error: Could not create a bitmap.
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,3,2,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x3, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,7,0,1,0) CreateDIBitmap(00000000, 0012FDC4, 0x6, 00000000, 0012FDC4, 0)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,7,0,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x6, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,1,7,1,1,1) CreateDIBitmap(00000000, 0012FDC4, 0x6, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,2,0,1,1) CreateDIBitmap(00000000, 0012FD90, 0x2, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,2,1,1,1) CreateDIBitmap(00000000, 0012FD90, 0x2, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,2,2,1,1) CreateDIBitmap(00000000, 0012FD90, 0x2, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,3,0,1,1) CreateDIBitmap(00000000, 0012FD90, 0x3, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,3,1,1,1) CreateDIBitmap(00000000, 0012FD90, 0x3, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,3,2,1,1) CreateDIBitmap(00000000, 0012FD90, 0x3, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,7,0,1,0) CreateDIBitmap(00000000, 0012FD90, 0x6, 00000000, 0012FDC4, 0)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,7,0,1,1) CreateDIBitmap(00000000, 0012FD90, 0x6, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,2,7,1,1,1) CreateDIBitmap(00000000, 0012FD90, 0x6, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,2,0,1,1) CreateDIBitmap(00000000, C0000000, 0x2, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,2,1,1,1) CreateDIBitmap(00000000, C0000000, 0x2, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,2,2,1,1) CreateDIBitmap(00000000, C0000000, 0x2, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,3,0,1,1) CreateDIBitmap(00000000, C0000000, 0x3, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,3,1,1,1) CreateDIBitmap(00000000, C0000000, 0x3, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,3,2,1,1) CreateDIBitmap(00000000, C0000000, 0x3, C0000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,7,0,1,0) CreateDIBitmap(00000000, C0000000, 0x6, 00000000, 0012FDC4, 0)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,7,0,1,1) CreateDIBitmap(00000000, C0000000, 0x6, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (0,3,7,1,1,1) CreateDIBitmap(00000000, C0000000, 0x6, 0012FD7C, 0012FDC4, 1)
      CreateDIBitmap.c:237: Test failed: Expected failure for (1,0,7,0,1,0) CreateDIBitmap(9F01010E, 00000000, 0x6, 00000000, 0012FDC4, 0)
      CreateDIBitmap.c:237: Test failed: Expected failure for (1,0,7,0,1,1) CreateDIBitmap(9F01010E, 00000000, 0x6, 00000000, 0012FDC4, 1)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,1,0,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, 0012FD7C, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,1,1,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, 0012FD7C, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,1,2,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, 0012FD7C, 0012FD90, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,2,0,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, C0000000, 00000000, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,2,1,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, C0000000, 0012FDC4, 2)
      CreateDIBitmap.c:231: Test failed: Expected success for (1,1,0,2,2,2) CreateDIBitmap(9F01010E, 0012FDC4, 0x0, C0000000, 0012FD90, 2)
       
      *** Fatal System Error: 0x000000d6
                             (0xF5B1B000,0x00000000,0xF357C709,0x00000000)
       
      Driver at fault: 
      ***    win32k.sys - Address F357C709 base at F3565000, DateStamp 5453c2b8
      .
      Break instruction exception - code 80000003 (first chance)
       
      A fatal system error has occurred.
      Debugger entered on first try; Bugcheck callbacks have not been invoked.
       
      A fatal system error has occurred.
       
      Connected to Windows Server 2003 3790 x86 compatible target at (Sat Nov  1 10:32:59.801 2014 (UTC + 1:00)), ptr64 FALSE
      Loading Kernel Symbols
      ..................................................
      Loading User Symbols
      .............
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
       
      Use !analyze -v to get detailed debugging information.
       
      BugCheck D6, {f5b1b000, 0, f357c709, 0}
       
      Probably caused by : win32k.sys ( win32k!DecompressBitmap+a9 )
       
      Followup: MachineOwner
      ---------
       
      nt!RtlpBreakWithStatusInstruction:
      8055c448 cc              int     3
      kd> !analyze -v
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
       
      DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
      N bytes of memory was allocated and more than N bytes are being referenced.
      This cannot be protected by try-except.
      When possible, the guilty driver's name (Unicode string) is printed on
      the bugcheck screen and saved in KiBugCheckDriver.
      Arguments:
      Arg1: f5b1b000, memory referenced
      Arg2: 00000000, value 0 = read operation, 1 = write operation
      Arg3: f357c709, if non-zero, the address which referenced memory.
      Arg4: 00000000, (reserved)
       
      Debugging Details:
      ------------------
       
       
      READ_ADDRESS:  f5b1b000 
       
      FAULTING_IP: 
      win32k!DecompressBitmap+a9 [c:\ros\reactos-clean\reactos\win32ss\gdi\eng\rlecomp.c @ 45]
      f357c709 0fb610          movzx   edx,byte ptr [eax]
       
      MM_INTERNAL_CODE:  0
       
      IMAGE_NAME:  win32k.sys
       
      DEBUG_FLR_IMAGE_TIMESTAMP:  5453c2b8
       
      MODULE_NAME: win32k
       
      FAULTING_MODULE: f3565000 win32k
       
      DEFAULT_BUCKET_ID:  DRIVER_FAULT
       
      BUGCHECK_STR:  0xD6
       
      PROCESS_NAME:  gdi32_apitest.e
       
      CURRENT_IRQL:  1
       
      TRAP_FRAME:  00000010 -- (.trap 0x10)
      Unable to read trap frame at 00000010
       
      LAST_CONTROL_TRANSFER:  from 804a1596 to 8055c448
       
      STACK_TEXT:  
      f31cf484 804a1596 00000003 f31cf86c ffdff408 nt!RtlpBreakWithStatusInstruction
      f31cf4b4 804a1fe4 00000003 f31cf98c f31cf8b0 nt!KiBugCheckDebugBreak+0x36 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 536]
      f31cf874 804a277e 00000050 f5b1b000 00000000 nt!KeBugCheckWithTf+0x5b4 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1100]
      f31cf894 804c8042 00000050 f5b1b000 00000000 nt!KeBugCheckEx+0x1e [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1429]
      f31cf98c 804f226e 00000000 f5b1b000 00000000 nt!MmArmAccessFault+0x822 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1853]
      f31cf9a8 8053ef63 00000000 f5b1b000 00000000 nt!MmAccessFault+0xce [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 243]
      f31cf9dc 804036df f31cfae0 f357c709 008cc063 nt!KiTrap0EHandler+0x1c3 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1277]
      f31cf9dc f357c709 f31cfae0 f357c709 008cc063 nt!KiTrap0E+0x8f
      f31cfae0 f3604164 00000004 00000004 f5b1afe8 win32k!DecompressBitmap+0xa9 [c:\ros\reactos-clean\reactos\win32ss\gdi\eng\rlecomp.c @ 45]
      f31cfb20 f3610204 00000004 00000004 00000000 win32k!GreCreateBitmapEx+0x114 [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\bitmaps.c @ 97]
      f31cfbd8 f361015c 00000000 00000004 f5b1afe8 win32k!IntSetDIBits+0x84 [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 272]
      f31cfc28 f361070c 00000004 00000008 00000001 win32k!IntCreateDIBitmap+0x23c [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1402]
      f31cfc74 f361058f 01010297 00000004 00000004 win32k!GreCreateDIBitmapInternal+0x13c [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1538]
      f31cfcd8 8053fcb9 01010297 00000004 00000004 win32k!NtGdiCreateDIBitmapInternal+0x15f [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1467]
      f31cfd14 8053f7cd f3610430 0012fce8 0000002c nt!KiSystemCallTrampoline+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 725]
      f31cfd5c 80403e03 0012fda4 7c92fbce badb0d00 nt!KiSystemServiceHandler+0x23d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1707]
      f31cfd5c 7c92fbce 0012fda4 7c92fbce badb0d00 nt!KiFastCallEntry+0x8c
      0012fcdc 77bc616a 77bb5ecb 01010297 00000004 ntdll!KiFastSystemCallRet
      0012fce0 77bb5ecb 01010297 00000004 00000004 gdi32!ZwGdiCreateDIBitmapInternal+0xc
      0012fda4 004141b5 01010297 0012fdd4 00000004 gdi32!CreateDIBitmap+0x20b [c:\ros\reactos-clean\reactos\win32ss\gdi\gdi32\objects\bitmap.c @ 505]
      0012fe1c 0041560c 0012fe40 00439584 0012fe4c gdi32_apitest!Test_CreateDIBitmap_RLE8+0x105 [c:\ros\reactos-clean\reactos\modules\rostests\apitests\gdi32\createdibitmap.c @ 384]
      0012fe24 00439584 0012fe4c cccccccc cccccccc gdi32_apitest!func_CreateDIBitmap+0x1c [c:\ros\reactos-clean\reactos\modules\rostests\apitests\gdi32\createdibitmap.c @ 539]
      0012fe40 00439418 00134a78 0012ffb4 0012fef0 gdi32_apitest!run_test+0xa4 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 615]
      0012fedc 0043a52c 00000002 00133a68 00131638 gdi32_apitest!main+0x188 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 671]
      0012ffb4 0043a266 000000ff 0012fff0 77d93909 gdi32_apitest!__tmainCRTStartup+0x2ac [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 310]
      0012ffc0 77d93909 00000000 00000000 7ffdd000 gdi32_apitest!mainCRTStartup+0x26 [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 196]
      0012fff0 00000000 0043a240 00000000 ec0100ed kernel32!BaseProcessStartup+0x69 [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\proc.c @ 478]
       
       
      STACK_COMMAND:  kb
       
      FOLLOWUP_IP: 
      win32k!DecompressBitmap+a9 [c:\ros\reactos-clean\reactos\win32ss\gdi\eng\rlecomp.c @ 45]
      f357c709 0fb610          movzx   edx,byte ptr [eax]
       
      FAULTING_SOURCE_CODE:  
          41:     _SEH2_TRY
          42:     {
          43:         while (y >= 0)
          44:         {
      >   45:             length = (*bits++) >> shift;
          46:             if (length)
          47:             {
          48:                 c = *bits++;
          49:                 while (length--)
          50:                 {
       
       
      SYMBOL_STACK_INDEX:  8
       
      SYMBOL_NAME:  win32k!DecompressBitmap+a9
       
      FOLLOWUP_NAME:  MachineOwner
       
      FAILURE_BUCKET_ID:  0xD6_win32k!DecompressBitmap+a9
       
      BUCKET_ID:  0xD6_win32k!DecompressBitmap+a9
       
      Followup: MachineOwner
      ---------
       
      kd> kp
      ChildEBP RetAddr  
      f31cf484 804a1596 nt!RtlpBreakWithStatusInstruction
      f31cf4b4 804a1fe4 nt!KiBugCheckDebugBreak(unsigned long StatusCode = 3)+0x36 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 536]
      f31cf874 804a277e nt!KeBugCheckWithTf(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xf5b1b000, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf31cf9e4, unsigned long BugCheckParameter4 = 0, struct _KTRAP_FRAME * TrapFrame = 0xf31cf9e4)+0x5b4 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1100]
      f31cf894 804c8042 nt!KeBugCheckEx(unsigned long BugCheckCode = 0x50, unsigned long BugCheckParameter1 = 0xf5b1b000, unsigned long BugCheckParameter2 = 0, unsigned long BugCheckParameter3 = 0xf31cf9e4, unsigned long BugCheckParameter4 = 0)+0x1e [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1429]
      f31cf98c 804f226e nt!MmArmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf5b1b000, char Mode = 0n0 '', void * TrapInformation = 0xf31cf9e4)+0x822 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1853]
      f31cf9a8 8053ef63 nt!MmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf5b1b000, char Mode = 0n0 '', void * TrapInformation = 0xf31cf9e4)+0xce [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 243]
      f31cf9dc 804036df nt!KiTrap0EHandler(struct _KTRAP_FRAME * TrapFrame = 0xf31cf9e4)+0x1c3 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1277]
      f31cf9dc f357c709 nt!KiTrap0E+0x8f
      f31cfae0 f3604164 win32k!DecompressBitmap(struct tagSIZE Size = struct tagSIZE, unsigned char * CompressedBits = 0xf5b1afe8 "???", unsigned char * UncompressedBits = 0xf86fafec "", long Delta = 4, unsigned long Format = 3)+0xa9 [c:\ros\reactos-clean\reactos\win32ss\gdi\eng\rlecomp.c @ 45]
      f31cfb20 f3610204 win32k!GreCreateBitmapEx(unsigned long nWidth = 4, unsigned long nHeight = 4, unsigned long cjWidthBytes = 0, unsigned long iFormat = 3, unsigned short fjBitmap = 0, unsigned long cjSizeImage = 0x14, void * pvBits = 0xf86fafec, unsigned long flags = 0)+0x114 [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\bitmaps.c @ 97]
      f31cfbd8 f361015c win32k!IntSetDIBits(struct _DC * DC = 0xf5bfca40, struct HBITMAP__ * hBitmap = 0x00050298, unsigned int StartScan = 0, unsigned int ScanLines = 4, void * Bits = 0xf5b1afe8, struct tagBITMAPINFO * bmi = 0x0012fdd4, unsigned int ColorUse = 1)+0x84 [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 272]
      f31cfc28 f361070c win32k!IntCreateDIBitmap(struct _DC * Dc = 0xf5bfca40, int width = 4, int height = 4, unsigned int planes = 8, unsigned int bpp = 1, unsigned long compression = 1, unsigned long init = 4, unsigned char * bits = 0xf5b1afe8 "???", struct tagBITMAPINFO * data = 0x0012fdd4, unsigned long coloruse = 1)+0x23c [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1402]
      f31cfc74 f361058f win32k!GreCreateDIBitmapInternal(struct HDC__ * hDc = 0x01010297, int cx = 4, int cy = 4, unsigned long fInit = 4, unsigned char * pjInit = 0xf5b1afe8 "???", struct tagBITMAPINFO * pbmi = 0x0012fdd4, unsigned long iUsage = 1, unsigned long fl = 0, unsigned int cjMaxBits = 0x14, void * hcmXform = 0x00000000)+0x13c [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1538]
      f31cfcd8 8053fcb9 win32k!NtGdiCreateDIBitmapInternal(struct HDC__ * hDc = 0x01010297, int cx = 4, int cy = 4, unsigned long fInit = 4, unsigned char * pjInit = 0x0012fe04 "???", struct tagBITMAPINFO * pbmi = 0x0012fdd4, unsigned long iUsage = 1, unsigned int cjMaxInitInfo = 0x2c, unsigned int cjMaxBits = 0x14, unsigned long fl = 0, void * hcmXform = 0x00000000)+0x15f [c:\ros\reactos-clean\reactos\win32ss\gdi\ntgdi\dibobj.c @ 1467]
      f31cfd14 8053f7cd nt!KiSystemCallTrampoline(void * Handler = 0xf3610430, void * Arguments = 0x0012fce8, unsigned long StackBytes = 0x2c)+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 725]
      f31cfd5c 80403e03 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf31cfd64, void * Arguments = 0x0012fce8)+0x23d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1707]
      f31cfd5c 7c92fbce nt!KiFastCallEntry+0x8c
      0012fcdc 77bc616a ntdll!KiFastSystemCallRet
      0012fce0 77bb5ecb gdi32!ZwGdiCreateDIBitmapInternal+0xc
      0012fda4 004141b5 gdi32!CreateDIBitmap(struct HDC__ * hDC = 0x01010297, struct tagBITMAPINFOHEADER * Header = 0x0012fdd4, unsigned long Init = 4, void * Bits = 0x0012fe04, struct tagBITMAPINFO * Data = 0x0012fdd4, unsigned int ColorUse = 1)+0x20b [c:\ros\reactos-clean\reactos\win32ss\gdi\gdi32\objects\bitmap.c @ 505]
      0012fe1c 0041560c gdi32_apitest!Test_CreateDIBitmap_RLE8(void)+0x105 [c:\ros\reactos-clean\reactos\modules\rostests\apitests\gdi32\createdibitmap.c @ 384]
      0012fe24 00439584 gdi32_apitest!func_CreateDIBitmap(void)+0x1c [c:\ros\reactos-clean\reactos\modules\rostests\apitests\gdi32\createdibitmap.c @ 539]
      0012fe40 00439418 gdi32_apitest!run_test(char * name = 0x00134a78 "CreateDIBitmap")+0xa4 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 615]
      0012fedc 0043a52c gdi32_apitest!main(int argc = 2, char ** argv = 0x00133a68)+0x188 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 671]
      0012ffb4 0043a266 gdi32_apitest!__tmainCRTStartup(void)+0x2ac [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 310]
      0012ffc0 77d93909 gdi32_apitest!mainCRTStartup(void)+0x26 [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 196]
      0012fff0 00000000 kernel32!BaseProcessStartup(<function> * lpStartAddress = 0x0043a240)+0x69 [c:\ros\reactos-clean\reactos\dll\win32\kernel32\client\proc.c @ 478]
      kd> ?? length
      int 0x15
      kd> ?? y
      int 1
      kd> ?? bits
      unsigned char * 0xf5b1b000
       "--- memory read error at address 0xf5b1b000 ---"
      kd> ?? shift
      int 0
      kd> ?? Size
      struct tagSIZE
         +0x000 cx               : 4
         +0x004 cy               : 4
      kd> ?? width
      int 4
      kd> ?? Format
      unsigned long 3
      kd> ?? CompressedBits
      unsigned char * 0xf5b1afe8
       "???"
      kd> ?? UncompressedBits
      unsigned char * 0xf86fafec
       ""
      kd> ?? Delta
      long 4
      kd> ?? height
      int 3
      kd> !pool f5b1afe8
      Pool page f5b1afe8 region is Special pool
      *f5b1a000 size:   14 data: f5b1afe8 (Paged) *DIB 
      		Owning component : Unknown (update pooltag.txt)

      cc zefklop thephysicist

      Attachments

        1. CORE-8735.patch
          2 kB
          Timo Kreuzer
        2. win32ss gdi eng.patch
          1 kB
          Kamil Hornicek

        Issue Links

          Activity

            People

              preston Kamil Hornicek
              ThFabba ThFabba
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: