[WIN32K] Fix gdi/dib horizontal line draw function crashes (reactos#8263)

* [WIN32K] Fix gdi/dib assembly code and 'C' code horizontal line draw function crashes.
Do not do subtracts that cause a wrap to a negative value when determining length.
This affects bit depths of 8, 16, 24, and 32 Bits per Plane.

CORE-19634
CORE-13532

Author: Doug-Lyons

win32ss/gdi/dib/dib16bpp.c

@@ -43,6 +43,9 @@ DIB_16BPP_HLine(SURFOBJ *SurfObj, LONG x1, LONG x2, LONG y, ULONG c)
   /* This is about 10% faster than the generic C code below */
   LONG Count = x2 - x1;
 
+  if (x1 >= x2)
+    return;
+
   __asm__ __volatile__ (
     "  cld\n"
     "  mov  %0, %%eax\n"
@@ -70,6 +73,9 @@ DIB_16BPP_HLine(SURFOBJ *SurfObj, LONG x1, LONG x2, LONG y, ULONG c)
   LONG cx = x1;
   DWORD cc;
 
+  if (x1 >= x2)
+    return;
+
   if (0 != (cx & 0x01))
   {
     *((PWORD) addr) = (WORD)c;

win32ss/gdi/dib/dib24bppc.c

@@ -18,6 +18,9 @@ DIB_24BPP_HLine(SURFOBJ *SurfObj, LONG x1, LONG x2, LONG y, ULONG c)
   PBYTE addr = (PBYTE)SurfObj->pvScan0 + y * SurfObj->lDelta + (x1 << 1) + x1;
   ULONG Count = x2 - x1;
 
+  if (x1 >= x2)
+    return;
+
   if (Count < 8)
   {
     /* For small fills, don't bother doing anything fancy */

win32ss/gdi/dib/dib8bpp.c

@@ -36,6 +36,9 @@ DIB_8BPP_GetPixel(SURFOBJ *SurfObj, LONG x, LONG y)
 VOID
 DIB_8BPP_HLine(SURFOBJ *SurfObj, LONG x1, LONG x2, LONG y, ULONG c)
 {
+  if (x1 >= x2)
+    return;
+
   memset((PBYTE)SurfObj->pvScan0 + y * SurfObj->lDelta + x1, (BYTE) c, x2 - x1);
 }
 

win32ss/gdi/dib/i386/dib24bpp_hline.s

@@ -19,12 +19,13 @@ PUBLIC _DIB_24BPP_HLine
                          sub     esp, 24
                          mov     ebx, [esp+40]
                          mov     edi, [esp+52]
-                         mov     ecx, [esp+44]
+                         mov     ecx, [esp+44]      // ecx = LONG x1
                          mov     eax, [ebx+36]
                          mov     esi, [ebx+32]
-                         mov     edx, [esp+48]
+                         mov     edx, [esp+48]      // edx = LONG x2
                          imul    eax, edi
-                         sub     edx, ecx
+                         sub     edx, ecx           // cx = (x2 - x1);
+                         jc      short .exit_here   // cx must not be negative
                          mov     [esp], edx
                          add     eax, esi
                          lea     eax, [eax+ecx*2]
@@ -37,6 +38,7 @@ PUBLIC _DIB_24BPP_HLine
                          mov     [esp], eax
                          inc     eax
                          jnz     small_fill
+               .exit_here:
                          add     esp, 24
                          pop     ebx
                          pop     esi

win32ss/gdi/dib/i386/dib32bpp_hline.s

@@ -13,7 +13,7 @@
 PUBLIC _DIB_32BPP_HLine
 
 _DIB_32BPP_HLine:
-                  sub     esp, 12             // rember the base is not hex it is dec
+                  sub     esp, 12            // remember the base is decimal
                   mov     ecx, [esp+16]
                   mov     [esp+4], ebx
                   mov     edx, [esp+20]      // edx =  LONG x1
@@ -23,7 +23,8 @@ _DIB_32BPP_HLine:
                   mov     ebx, [esp+24]      // ebx =  LONG x2
                   imul    eax, edi
                   mov     edi, [ecx+32]
-                  sub     ebx, edx            // cx  = (x2 - x1) ;
+                  sub     ebx, edx           // cx = (x2 - x1);
+                  jc      short .exit_here   // cx must not be negative
                   add     eax, edi
                   lea     edx, [eax+edx*4]
                   mov     [esp], edx
@@ -47,7 +48,7 @@ _save_rest:
                   rep stosd                  // The actual fill
                   shr     eax, 16
                   stosw
-
+.exit_here:
                   mov     ebx, [esp+4]
                   mov     edi, [esp+8]
                   add     esp, 12