RtlCaptureUnicodeString should also check the buffers that the UNICODE_STRING structure points to...
Modified: trunk/reactos/ntoskrnl/rtl/capture.c
Modified: trunk/reactos/ntoskrnl/rtl/capture.c
--- trunk/reactos/ntoskrnl/rtl/capture.c	2005-01-22 18:08:28 UTC (rev 13218)
+++ trunk/reactos/ntoskrnl/rtl/capture.c	2005-01-22 20:53:14 UTC (rev 13219)
@@ -58,6 +58,12 @@

                    sizeof(UNICODE_STRING),
                    sizeof(ULONG));
       Src = *UnsafeSrc;

+      if(Src.Length > 0)
+      {
+        ProbeForRead(Src.Buffer,
+                     Src.Length,
+                     sizeof(WCHAR));
+      }

     }
     _SEH_HANDLE
     {
@@ -86,20 +92,19 @@

    * Initialize the destination string.
    */
   Dest->Length = Src.Length;

-  Dest->MaximumLength = Src.Length + sizeof(WCHAR);
-  Dest->Buffer = ExAllocatePool(PoolType, Dest->MaximumLength);
-  if (Dest->Buffer == NULL)
-  {
-    Dest->Length = Dest->MaximumLength = 0;
-    Dest->Buffer = NULL;
-    return STATUS_INSUFFICIENT_RESOURCES;
-  }
-
-  /*
-   * Copy the source string to kernel space.
-   */

   if(Src.Length > 0)
   {

+    Dest->MaximumLength = Src.Length + sizeof(WCHAR);
+    Dest->Buffer = ExAllocatePool(PoolType, Dest->MaximumLength);
+    if (Dest->Buffer == NULL)
+    {
+      Dest->Length = Dest->MaximumLength = 0;
+      Dest->Buffer = NULL;
+      return STATUS_INSUFFICIENT_RESOURCES;
+    }
+    /*
+     * Copy the source string to kernel space.
+     */

     _SEH_TRY
     {
       RtlCopyMemory(Dest->Buffer, Src.Buffer, Src.Length);
@@ -111,6 +116,11 @@

     }
     _SEH_END;
   }

+  else
+  {
+    Dest->MaximumLength = 0;
+    Dest->Buffer = NULL;
+  }

   
   return Status;
 }