[ros-diffs] [tkreuzer] 61624: [RTL] Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.

14 Jan 2014

Author: tkreuzer
Date: Tue Jan 14 19:41:01 2014
New Revision: 61624
URL: http://svn.reactos.org/svn/reactos?rev=61624&view=rev
Log:
[RTL]
Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.
Modified:
    trunk/reactos/lib/rtl/registry.c
Modified: trunk/reactos/lib/rtl/registry.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/registry.c?rev=6162...
==============================================================================

--- trunk/reactos/lib/rtl/registry.c	[iso-8859-1] (original)
+++ trunk/reactos/lib/rtl/registry.c	[iso-8859-1] Tue Jan 14 19:41:01 2014
@@ -211,7 +211,7 @@
/* Check if we have space to copy the data */
             RequiredLength = KeyValueInfo->NameLength + sizeof(UNICODE_NULL);
-            if (SpareLength < RequiredLength)
+            if ((SpareData > DataEnd) || (SpareLength < RequiredLength))
             {
                 /* Fail and return the missing length */
                 *InfoSize = (ULONG)(SpareData - (PCHAR)KeyValueInfo) + RequiredLength;

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [tkreuzer] 61624: [RTL] Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.