https://git.reactos.org/?p=reactos.git;a=commitdiff;h=c5158963a3be6c19da30a…
commit c5158963a3be6c19da30a2f9000e88e7f88a4986
Author: Timo Kreuzer <timo.kreuzer(a)reactos.org>
AuthorDate: Sat Dec 10 14:07:16 2022 +0200
Commit: Timo Kreuzer <timo.kreuzer(a)reactos.org>
CommitDate: Wed Jan 4 10:32:28 2023 +0100
[ADVAPI32] Fix a buffer overflow in RegQueryValueExA
The code was trying to check whether the output string was already NULL terminated by RtlUnicodeToMultiByteN before NULL terminating it by checking DataStr[*count - 1] for a NULL terminator. But since RtlUnicodeToMultiByteSize always returns the size without the NULL terminator, DataStr[*count - 1] would always be the last actual character, never an optional NULL terminator.
For 0 sized strings this would actually lead to accessing the output buffer at position -1 (on 32 bit) or 0xFFFFFFFF (on 64 bit).
Fix this by removing the check. This fixes a crash in advapi32_winetest:registry on x64.
---
dll/win32/advapi32/reg/reg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dll/win32/advapi32/reg/reg.c b/dll/win32/advapi32/reg/reg.c
index 9beecc99d2c..904ca010eca 100644
--- a/dll/win32/advapi32/reg/reg.c
+++ b/dll/win32/advapi32/reg/reg.c
@@ -4088,6 +4088,7 @@ RegQueryValueExA(
/* We don't need this anymore */
RtlFreeUnicodeString(&nameW);
+ /* Get the length for the multi-byte string (without the terminating NULL!) */
DataLength = *count;
RtlUnicodeToMultiByteSize(count, Buffer, BufferSize);
@@ -4101,7 +4102,7 @@ RegQueryValueExA(
RtlUnicodeToMultiByteN(DataStr, DataLength, NULL, Buffer, BufferSize);
/* NULL-terminate if there is enough room */
- if ((DataLength > *count) && (DataStr[*count - 1] != '\0'))
+ if (DataLength > *count)
DataStr[*count] = '\0';
RtlFreeHeap(RtlGetProcessHeap(), 0, Buffer);
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=437f2b1b0e7b401be3776…
commit 437f2b1b0e7b401be3776c2e3726eb0225b9bde3
Author: Timo Kreuzer <timo.kreuzer(a)reactos.org>
AuthorDate: Fri Dec 16 10:22:49 2022 +0200
Commit: Timo Kreuzer <timo.kreuzer(a)reactos.org>
CommitDate: Wed Jan 4 10:32:28 2023 +0100
[KERNEL32] Silence 2 annoying DPRINTs
---
dll/win32/kernel32/client/proc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dll/win32/kernel32/client/proc.c b/dll/win32/kernel32/client/proc.c
index a659101137a..d2e38355ddd 100644
--- a/dll/win32/kernel32/client/proc.c
+++ b/dll/win32/kernel32/client/proc.c
@@ -3999,11 +3999,11 @@ StartScan:
QuerySection = TRUE;
}
- /* Do we need to apply SxS to this image? */
+ /* Do we need to apply SxS to this image? (On x86 this flag is set by PeFmtCreateSection) */
if (!(ImageInformation.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION))
{
/* Too bad, we don't support this yet */
- DPRINT1("Image should receive SxS Fusion Isolation\n");
+ DPRINT("Image should receive SxS Fusion Isolation\n");
}
/* There's some SxS flag that we need to set if fusion flags have 1 set */
@@ -4226,7 +4226,7 @@ StartScan:
/* Write the remote PEB address and clear it locally, we no longer use it */
CreateProcessMsg->PebAddressNative = RemotePeb;
#ifdef _WIN64
- DPRINT1("TODO: WOW64 is not supported yet\n");
+ DPRINT("TODO: WOW64 is not supported yet\n");
CreateProcessMsg->PebAddressWow64 = 0;
#else
CreateProcessMsg->PebAddressWow64 = (ULONG)RemotePeb;
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=0bdae2114aa2300cee183…
commit 0bdae2114aa2300cee18319752f0b6acc22d93d5
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Sat Dec 31 17:50:25 2022 +0100
Commit: George Bișoc <george.bisoc(a)reactos.org>
CommitDate: Tue Jan 3 16:48:03 2023 +0100
[NTOS:CM] Cleanup the hive in case linking it to master fails (#4969)
Currently the failure code path doesn't do any kind of cleanup against
the hive that was being linked to master. The cleanup is pretty
straightforward as you just simply close the hive file handles and free
the registry kernel structures.
CORE-5772
CORE-17263
CORE-13559
---
ntoskrnl/config/cmapi.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ntoskrnl/config/cmapi.c b/ntoskrnl/config/cmapi.c
index 6555658435f..e21eea3b793 100644
--- a/ntoskrnl/config/cmapi.c
+++ b/ntoskrnl/config/cmapi.c
@@ -2121,18 +2121,24 @@ CmLoadKey(IN POBJECT_ATTRIBUTES TargetKey,
/* Release the hive */
CmHive->Hive.HiveFlags &= ~HIVE_IS_UNLOADING;
CmHive->CreatorOwner = NULL;
-
- /* Allow loads */
- ExReleasePushLock(&CmpLoadHiveLock);
}
else
{
DPRINT1("CmpLinkHiveToMaster failed, Status %lx\n", Status);
- /* FIXME: TODO */
- // ASSERT(FALSE); see CORE-17263
- ExReleasePushLock(&CmpLoadHiveLock);
+
+ /* We're touching this hive, set the loading flag */
+ CmHive->HiveIsLoading = TRUE;
+
+ /* Close associated file handles */
+ CmpCloseHiveFiles(CmHive);
+
+ /* Cleanup its resources */
+ CmpDestroyHive(CmHive);
}
+ /* Allow loads */
+ ExReleasePushLock(&CmpLoadHiveLock);
+
/* Is this first profile load? */
if (!CmpProfileLoaded && !CmpWasSetupBoot)
{