• Zhiyi Zhang's avatar
    win32u: Find the correct DIB driver in windrv_CreateDC(). · 36366f12
    Zhiyi Zhang authored
    push_dc_driver() places drivers based on their priorities, so the newly created driver is not
    necessarily on top. Thus in windrv_CreateDC(), find_dc_driver() should be used to find the DIB
    driver instead of assuming the DIB driver is the top driver, which could be the path driver because
    it has a higher priority.
    
    The exact wrong code path was:
    1. A path driver with priority 400 is created for a DC.
    2. windrv_CreateDC() is called to create a window driver for the DC.
    3. Then in dibdrv_CreateDC(), push_dc_driver() is called with 'dev' pointing to the top driver, which is the path driver.
    4. push_dc_driver() updates 'dev' to point to the address of the next driver because DIB driver has a lower 300 priority.
    5. The DIB driver is assigned to 'dev', which is not the original parameter passed into push_dc_driver().
    6. In windrv_CreateDC(), get_dibdrv_pdev(*dev) is called, assuming the top driver is the DIB driver. But actually the top
       driver that '*dev' points to is still the path driver.
    
    The added tests can demonstrate the memory corruption before this fix is applied.
    36366f12
path.c 69.8 KB