Index: reactos/win32ss/gdi/ntgdi/dclife.c
===================================================================
--- reactos/win32ss/gdi/ntgdi/dclife.c	(revision 72796)
+++ reactos/win32ss/gdi/ntgdi/dclife.c	(working copy)
@@ -692,9 +692,10 @@
 {
     UNICODE_STRING ustrDevice;
     WCHAR awcDevice[CCHDEVICENAME];
-    DEVMODEW dmInit;
     PVOID dhpdev;
     HDC hdc;
+    DWORD Size;
+    DEVMODEW *pdmAllocated = NULL;
 
     /* Only if a devicename is given, we need any data */
     if (pustrDevice)
@@ -711,13 +712,16 @@
             /* Copy the string */
             RtlCopyUnicodeString(&ustrDevice, pustrDevice);
 
+            /* Allocate and store pdmAllocated if pdmInit is not NULL */
             if (pdmInit)
             {
-                /* FIXME: could be larger */
-                /* According to a comment in Windows SDK the size of the buffer for
-                   pdm is (pdm->dmSize + pdm->dmDriverExtra) */
                 ProbeForRead(pdmInit, sizeof(DEVMODEW), 1);
-                RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW));
+
+                Size = pdmInit->dmSize + pdmInit->dmDriverExtra;
+                ProbeForRead(pdmInit, Size, 1);
+
+                pdmAllocated = ExAllocatePoolWithTag(PagedPool, Size, TAG_DC);
+                RtlCopyMemory(pdmAllocated, pdmInit, Size);
             }
 
             if (pUMdhpdev)
@@ -750,7 +754,7 @@
 
     /* Call the internal function */
     hdc = GreOpenDCW(pustrDevice ? &ustrDevice : NULL,
-                     pdmInit ? &dmInit : NULL,
+                     pdmAllocated ? pdmAllocated : NULL,
                      NULL, // FIXME: pwszLogAddress
                      iType,
                      bDisplay,
@@ -775,6 +779,12 @@
         _SEH2_END
     }
 
+    /* Free the allocated */
+    if (pdmAllocated)
+    {
+        ExFreePoolWithTag(pdmAllocated, TAG_DC);
+    }
+
     return hdc;
 }