[ros-diffs] [tkreuzer] 56366: [NTOSKRNL] Fix a bug in MiAllocatePoolPages, that made the function succeed, when MAX_ULONG / -1 / 0xFFFFFFFF bytes were requested. The value overflowed into 0 and 0 pages were re...
tkreuzer at svn.reactos.org
tkreuzer at svn.reactos.org
Thu Apr 19 14:33:55 UTC 2012
Author: tkreuzer
Date: Thu Apr 19 14:33:53 2012
New Revision: 56366
URL: http://svn.reactos.org/svn/reactos?rev=56366&view=rev
Log:
[NTOSKRNL]
Fix a bug in MiAllocatePoolPages, that made the function succeed, when MAX_ULONG / -1 / 0xFFFFFFFF bytes were requested. The value overflowed into 0 and 0 pages were returned. When freeing this block, it could either free the next following large allocation or ASSERT when the end of the pool was reached without finding the end of the allocation.
Fixes FoxitReader 4.2/4.3
Modified:
trunk/reactos/ntoskrnl/mm/ARM3/pool.c
Modified: trunk/reactos/ntoskrnl/mm/ARM3/pool.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/ARM3/pool.c?rev=56366&r1=56365&r2=56366&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/mm/ARM3/pool.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/mm/ARM3/pool.c [iso-8859-1] Thu Apr 19 14:33:53 2012
@@ -438,6 +438,17 @@
SizeInPages = (PFN_COUNT)BYTES_TO_PAGES(SizeInBytes);
//
+ // Check for overflow
+ //
+ if (SizeInPages == 0)
+ {
+ //
+ // Fail
+ //
+ return NULL;
+ }
+
+ //
// Handle paged pool
//
if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool)
More information about the Ros-diffs
mailing list