On Mon Aug 1 07:56:19 2022 +0000, Zhiyi Zhang wrote:

Hi, R��mi. This is causing a new Coverity report. In NtUserChangeDisplaySettings(), default_mode is passed to read_registry_settings(), which eventually calls read_adapter_mode() and then writes to the mode + 1. This is out of bound access because default_mode is not an array. I think the correct fix is to not set dmDriverExtra for ENUM_REGISTRY_SETTINGS.

It writes only if `dmDriverExtra` is not zero. I think in both these two locations it is initialized to 0. It is used to read full modes for the available mode list.