Author: weiden Date: Thu Aug 2 08:09:19 2007 New Revision: 28094
URL: http://svn.reactos.org/svn/reactos?rev=28094&view=rev Log: Fix buffer overflow in InfpAddSection. See issue #2516 for more details.
Modified: trunk/reactos/lib/inflib/infcore.c trunk/reactos/lib/inflib/infpriv.h
Modified: trunk/reactos/lib/inflib/infcore.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/inflib/infcore.c?rev=28... ============================================================================== --- trunk/reactos/lib/inflib/infcore.c (original) +++ trunk/reactos/lib/inflib/infcore.c Thu Aug 2 08:09:19 2007 @@ -181,7 +181,8 @@ }
/* Allocate and initialize the new section */ - Size = sizeof(INFCACHESECTION) + (_tcslen (Name) * sizeof(TCHAR)); + Size = FIELD_OFFSET(INFCACHESECTION, + Name[_tcslen (Name) + 1]); Section = (PINFCACHESECTION)MALLOC (Size); if (Section == NULL) { @@ -285,7 +286,8 @@ PINFCACHEFIELD Field; ULONG Size;
- Size = sizeof(INFCACHEFIELD) + (_tcslen(Data) * sizeof(TCHAR)); + Size = FIELD_OFFSET(INFCACHEFIELD, + Data[_tcslen(Data) + 1]); Field = (PINFCACHEFIELD)MALLOC(Size); if (Field == NULL) {
Modified: trunk/reactos/lib/inflib/infpriv.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/inflib/infpriv.h?rev=28... ============================================================================== --- trunk/reactos/lib/inflib/infpriv.h (original) +++ trunk/reactos/lib/inflib/infpriv.h Thu Aug 2 08:09:19 2007 @@ -9,6 +9,9 @@ #ifndef INFPRIV_H_INCLUDED #define INFPRIV_H_INCLUDED
+#ifndef FIELD_OFFSET +#define FIELD_OFFSET(t,f) ((ptrdiff_t)&(((t*)0)->f)) +#endif
#define INF_STATUS_INSUFFICIENT_RESOURCES (0xC000009A) #define INF_STATUS_BAD_SECTION_NAME_LINE (0xC0700001)