[ros-diffs] [tfaber] 64867: [RTL] - Fix a buffer overflow in RtlSetBits/RtlClearBits

Author: tfaber Date: Tue Oct 21 14:22:28 2014 New Revision: 64867 URL: http://svn.reactos.org/svn/reactos?rev=64867&view=rev Log: [RTL] - Fix a buffer overflow in RtlSetBits/RtlClearBits Modified: trunk/reactos/lib/rtl/bitmap.c trunk/rostests/apitests/ntdll/RtlBitmap.c Modified: trunk/reactos/lib/rtl/bitmap.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/bitmap.c?rev=64867… ============================================================================== --- trunk/reactos/lib/rtl/bitmap.c [iso-8859-1] (original) +++ trunk/reactos/lib/rtl/bitmap.c [iso-8859-1] Tue Oct 21 14:22:28 2014 @@ -362,8 +362,11 @@ /* Clear what's left */ NumberToClear &= (_BITCOUNT - 1); - Mask = MAXINDEX << NumberToClear; - *Buffer &= Mask; + if (NumberToClear) + { + Mask = MAXINDEX << NumberToClear; + *Buffer &= Mask; + } } VOID @@ -419,8 +422,11 @@ /* Set what's left */ NumberToSet &= (_BITCOUNT - 1); - Mask = MAXINDEX << NumberToSet; - *Buffer |= ~Mask; + if (NumberToSet) + { + Mask = MAXINDEX << NumberToSet; + *Buffer |= ~Mask; + } } BOOLEAN Modified: trunk/rostests/apitests/ntdll/RtlBitmap.c URL: http://svn.reactos.org/svn/reactos/trunk/rostests/apitests/ntdll/RtlBitmap.… ============================================================================== --- trunk/rostests/apitests/ntdll/RtlBitmap.c [iso-8859-1] (original) +++ trunk/rostests/apitests/ntdll/RtlBitmap.c [iso-8859-1] Tue Oct 21 14:22:28 2014 @@ -200,6 +200,11 @@ ok_hex(Buffer[0], 0x00001fff); ok_hex(Buffer[1], 0xfffffff8); + memset(Buffer, 0xff, BufferSize); + RtlClearBits(&BitMapHeader, 63, 1); + ok_hex(Buffer[0], 0xffffffff); + ok_hex(Buffer[1], 0x7fffffff); + memset(Buffer, 0xcc, BufferSize); RtlClearBits(&BitMapHeader, 3, 6); RtlClearBits(&BitMapHeader, 11, 5); @@ -244,6 +249,11 @@ RtlSetBits(&BitMapHeader, 13, 22); ok_hex(Buffer[0], 0xffffe000); ok_hex(Buffer[1], 0x00000007); + + memset(Buffer, 0x00, BufferSize); + RtlSetBits(&BitMapHeader, 63, 1); + ok_hex(Buffer[0], 0x00000000); + ok_hex(Buffer[1], 0x80000000); memset(Buffer, 0xcc, BufferSize); RtlSetBits(&BitMapHeader, 3, 6);