[ros-diffs] [rharabien] 53645: [WIN32K] - Fix possible buffer overrun - Use KEY_VALUE_PARTIAL_INFORMATION field instead of magic offset to data

Author: rharabien Date: Thu Sep 8 16:38:38 2011 New Revision: 53645 URL: http://svn.reactos.org/svn/reactos?rev=53645&view=rev Log: [WIN32K] - Fix possible buffer overrun - Use KEY_VALUE_PARTIAL_INFORMATION field instead of magic offset to data Modified: trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c trunk/reactos/subsystems/win32/win32k/ntuser/misc.c Modified: trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/nt… ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c [iso-8859-1] Thu Sep 8 16:38:38 2011 @@ -286,6 +286,9 @@ if( NT_SUCCESS(Status) ) { + FullKeyboardLayoutPath.Buffer = wszBuffer; + FullKeyboardLayoutPath.MaximumLength = sizeof(wszBuffer); + // FIXME: Is this 100% correct? // We're called very early, so HKEY_CURRENT_USER might not be available yet. Check this first. InitializeObjectAttributes(&KeyAttributes, &CurrentUserPath, OBJ_CASE_INSENSITIVE, NULL, NULL); @@ -294,18 +297,18 @@ if(Status == STATUS_OBJECT_NAME_NOT_FOUND) { // It is not available, so read it from HKEY_USERS\.DEFAULT + FullKeyboardLayoutPath.Length = sizeof(szDefaultUserPath) - sizeof(UNICODE_NULL); RtlCopyMemory(wszBuffer, szDefaultUserPath, sizeof(szDefaultUserPath)); } else { // The path is available ZwClose(KeyHandle); - RtlCopyMemory(wszBuffer, CurrentUserPath.Buffer, CurrentUserPath.MaximumLength); - } - - // Build the full path - RtlInitUnicodeString(&FullKeyboardLayoutPath, wszBuffer); - FullKeyboardLayoutPath.MaximumLength = MAX_PATH; + RtlCopyUnicodeString(&FullKeyboardLayoutPath, &CurrentUserPath); + } + + // Free CurrentUserPath - we dont need it anymore + RtlFreeUnicodeString(&CurrentUserPath); Status = RtlAppendUnicodeToString(&FullKeyboardLayoutPath, szKeyboardLayoutPath); @@ -326,8 +329,6 @@ } else ERR("RtlAppendUnicodeToString failed! (%08lx)\n", Status); - - RtlFreeUnicodeString(&CurrentUserPath); } else ERR("RtlFormatCurrentUserKeyPath failed! (%08lx)\n", Status); Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/nt… ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/misc.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/misc.c [iso-8859-1] Thu Sep 8 16:38:38 2011 @@ -17,13 +17,13 @@ IntGdiGetLanguageID(VOID) { HANDLE KeyHandle; - ULONG Size = sizeof(WCHAR) * (MAX_PATH + 12); OBJECT_ATTRIBUTES ObAttr; // http://support.microsoft.com/kb/324097 ULONG Ret = 0x409; // English - PVOID KeyInfo; + PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo; + ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR); UNICODE_STRING Language; - + RtlInitUnicodeString( &Language, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language"); @@ -35,22 +35,22 @@ if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr))) { - KeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING); - if ( KeyInfo ) + pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING); + if ( pKeyInfo ) { RtlInitUnicodeString(&Language, L"Default"); if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle, &Language, KeyValuePartialInformation, - KeyInfo, + pKeyInfo, Size, &Size)) ) { - RtlInitUnicodeString(&Language, (PVOID)((char *)KeyInfo + 12)); + RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data); RtlUnicodeStringToInteger(&Language, 16, &Ret); } - ExFreePoolWithTag(KeyInfo, TAG_STRING); + ExFreePoolWithTag(pKeyInfo, TAG_STRING); } ZwClose(KeyHandle); }