[ros-diffs] [tkreuzer] 61624: [RTL] Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.

Author: tkreuzer Date: Tue Jan 14 19:41:01 2014 New Revision: 61624 URL: http://svn.reactos.org/svn/reactos?rev=61624&view=rev Log: [RTL] Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length. Modified: trunk/reactos/lib/rtl/registry.c Modified: trunk/reactos/lib/rtl/registry.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/registry.c?rev=616… ============================================================================== --- trunk/reactos/lib/rtl/registry.c [iso-8859-1] (original) +++ trunk/reactos/lib/rtl/registry.c [iso-8859-1] Tue Jan 14 19:41:01 2014 @@ -211,7 +211,7 @@ /* Check if we have space to copy the data */ RequiredLength = KeyValueInfo->NameLength + sizeof(UNICODE_NULL); - if (SpareLength < RequiredLength) + if ((SpareData > DataEnd) || (SpareLength < RequiredLength)) { /* Fail and return the missing length */ *InfoSize = (ULONG)(SpareData - (PCHAR)KeyValueInfo) + RequiredLength;