[ros-diffs] [fireball] 31010: Andrey Korotaev <unc0rr at mail.ru>: - Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1).
fireball at svn.reactos.org
fireball at svn.reactos.org
Tue Dec 4 23:52:06 CET 2007
Author: fireball
Date: Wed Dec 5 01:52:05 2007
New Revision: 31010
URL: http://svn.reactos.org/svn/reactos?rev=31010&view=rev
Log:
Andrey Korotaev <unc0rr at mail.ru>:
- Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1).
Modified:
trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/misc.c?rev=31010&r1=31009&r2=31010&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/ntuser/misc.c (original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/misc.c Wed Dec 5 01:52:05 2007
@@ -2397,10 +2397,10 @@
Src = Dest->Buffer;
Dest->Buffer = NULL;
+ Dest->MaximumLength = Dest->Length;
if(Dest->Length > 0 && Src)
{
- Dest->MaximumLength = Dest->Length;
Dest->Buffer = ExAllocatePoolWithTag(PagedPool, Dest->MaximumLength, TAG_STRING);
if(!Dest->Buffer)
{
@@ -2443,6 +2443,7 @@
Src = Dest->Buffer;
Dest->Buffer = NULL;
+ Dest->MaximumLength = 0;
if(Dest->Length > 0 && Src)
{
More information about the Ros-diffs
mailing list