[ros-diffs] [janderwald] 47763: [WDMAUD_KERNEL] - Fix possible buffer overflow [MMIXER] - Add sanity checks

Author: janderwald Date: Sat Jun 12 10:21:03 2010 New Revision: 47763 URL: http://svn.reactos.org/svn/reactos?rev=47763&view=rev Log: [WDMAUD_KERNEL] - Fix possible buffer overflow [MMIXER] - Add sanity checks Modified: trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c trunk/reactos/lib/drivers/sound/mmixer/controls.c trunk/reactos/lib/drivers/sound/mmixer/filter.c trunk/reactos/lib/drivers/sound/mmixer/mixer.c trunk/reactos/lib/drivers/sound/mmixer/priv.h trunk/reactos/lib/drivers/sound/mmixer/sup.c trunk/reactos/lib/drivers/sound/mmixer/wave.c Modified: trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/wdm/audio/legacy/w… ============================================================================== --- trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c [iso-8859-1] (original) +++ trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -122,18 +122,32 @@ } else { + Entry = (SYSAUDIO_ENTRY*)AllocateItem(NonPagedPool, sizeof(SYSAUDIO_ENTRY)); + if (!Entry) + { + return STATUS_INSUFFICIENT_RESOURCES; + } + + Length = wcslen(DeviceName.Buffer) + 1; - Entry = (SYSAUDIO_ENTRY*)AllocateItem(NonPagedPool, sizeof(SYSAUDIO_ENTRY) + Length * sizeof(WCHAR)); - if (!Entry) - { + Entry->SymbolicLink.Length = 0; + Entry->SymbolicLink.MaximumLength = Length * sizeof(WCHAR); + Entry->SymbolicLink.Buffer = AllocateItem(NonPagedPool, Entry->SymbolicLink.MaximumLength); + + if (!Entry->SymbolicLink.Buffer) + { + FreeItem(Entry); return STATUS_INSUFFICIENT_RESOURCES; } - Entry->SymbolicLink.Length = Entry->SymbolicLink.MaximumLength = Length * sizeof(WCHAR); - Entry->SymbolicLink.MaximumLength += sizeof(WCHAR); - Entry->SymbolicLink.Buffer = (LPWSTR) (Entry + 1); - - wcscpy(Entry->SymbolicLink.Buffer, DeviceName.Buffer); + Status = RtlAppendUnicodeStringToString(&Entry->SymbolicLink, &DeviceName); + + if (!NT_SUCCESS(Status)) + { + FreeItem(Entry->SymbolicLink.Buffer); + FreeItem(Entry); + return Status; + } InsertTailList(&DeviceExtension->SysAudioDeviceList, &Entry->Entry); DeviceExtension->NumSysAudioDevices++; Modified: trunk/reactos/lib/drivers/sound/mmixer/controls.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/c… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/controls.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/controls.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -15,6 +15,7 @@ IN PKSMULTIPLE_ITEM NodeTypes, IN ULONG bUpDirection, IN ULONG NodeConnectionIndex, + IN ULONG PinCount, OUT PULONG Pins) { PKSTOPOLOGY_CONNECTION Connection; @@ -41,6 +42,9 @@ //DPRINT("GetTargetPinsByNodeIndex FOUND Target Pin %u Parsed %u\n", PinId, Pins[PinId]); + // sanity check + ASSERT(PinId < PinCount); + /* mark pin index as a target pin */ Pins[PinId] = TRUE; return MM_STATUS_SUCCESS; @@ -61,7 +65,7 @@ for(Index = 0; Index < NodeConnectionCount; Index++) { // iterate recursively into the nodes - Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], Pins); + Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], PinCount, Pins); ASSERT(Status == MM_STATUS_SUCCESS); } // free node connection indexes @@ -597,6 +601,8 @@ DestinationLine->Line.Target.wMid = MixerInfo->MixCaps.wMid; DestinationLine->Line.Target.wPid = MixerInfo->MixCaps.wPid; DestinationLine->Line.Target.vDriverVersion = MixerInfo->MixCaps.vDriverVersion; + + ASSERT(MixerInfo->MixCaps.szPname[MAXPNAMELEN-1] == 0); wcscpy(DestinationLine->Line.Target.szPname, MixerInfo->MixCaps.szPname); // initialize extra line @@ -736,11 +742,11 @@ return Status; } - /* there should be no split in the bride pin */ + /* there should be no split in the bridge pin */ ASSERT(PinConnectionIndexCount == 1); /* find all target pins of this connection */ - Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, FALSE, PinConnectionIndex[0], PinsRef); + Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, FALSE, PinConnectionIndex[0], PinsRefCount, PinsRef); if (Status != MM_STATUS_SUCCESS) { MixerContext->Free(PinsRef); @@ -779,7 +785,7 @@ } // now get all connected source pins - Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, TRUE, MixerControls[0], PinsSrcRef); + Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, TRUE, MixerControls[0], PinsRefCount, PinsSrcRef); if (Status != MM_STATUS_SUCCESS) { // failed */ @@ -857,6 +863,9 @@ InitializeListHead(&MixerInfo->LineList); InitializeListHead(&MixerInfo->EventList); + // sanity check + ASSERT(PinCount); + // now allocate an array which will receive the indices of the pin // which has a ADC / DAC nodetype in its path Pins = (PULONG)MixerContext->Alloc(PinCount * sizeof(ULONG)); Modified: trunk/reactos/lib/drivers/sound/mmixer/filter.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/f… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/filter.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/filter.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -57,6 +57,9 @@ if (Status != MM_STATUS_MORE_ENTRIES) return Status; + //sanity check + ASSERT(BytesReturned); + // allocate an result buffer MultipleItem = (PKSMULTIPLE_ITEM)MixerContext->Alloc(BytesReturned); Modified: trunk/reactos/lib/drivers/sound/mmixer/mixer.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/m… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/mixer.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/mixer.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -65,6 +65,8 @@ MixerCaps->vDriverVersion = MixerInfo->MixCaps.vDriverVersion; MixerCaps->fdwSupport = MixerInfo->MixCaps.fdwSupport; MixerCaps->cDestinations = MixerInfo->MixCaps.cDestinations; + + ASSERT(MixerInfo->MixCaps.szPname[MAXPNAMELEN-1] == 0); wcscpy(MixerCaps->szPname, MixerInfo->MixCaps.szPname); return MM_STATUS_SUCCESS; Modified: trunk/reactos/lib/drivers/sound/mmixer/priv.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/p… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/priv.h [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/priv.h [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -178,6 +178,7 @@ IN PKSMULTIPLE_ITEM NodeTypes, IN ULONG bUpDirection, IN ULONG NodeConnectionIndex, + IN ULONG PinCount, OUT PULONG Pins); MIXER_STATUS Modified: trunk/reactos/lib/drivers/sound/mmixer/sup.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/s… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/sup.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/sup.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -358,7 +358,7 @@ { for(Index = 0; Index < NodeConnectionCount; Index++) { - Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], Pins); + Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], PinCount, Pins); ASSERT(Status == STATUS_SUCCESS); } MixerContext->Free((PVOID)NodeConnection); @@ -638,6 +638,7 @@ Status = MixerContext->QueryKeyValue(hKey, L"FriendlyName", (PVOID*)&Name, &Length, &Type); if (Status == MM_STATUS_SUCCESS) { + ASSERT(Length < MAXPNAMELEN); wcscpy(MixerInfo->MixCaps.szPname, Name); MixerContext->Free(Name); return Status; @@ -650,6 +651,7 @@ Status = MixerContext->QueryKeyValue(hKey, L"FriendlyName", (PVOID*)&Name, &Length, &Type); if (Status == MM_STATUS_SUCCESS) { + ASSERT(Length < MAXPNAMELEN); wcscpy(MixerInfo->MixCaps.szPname, Name); MixerContext->Free(Name); } Modified: trunk/reactos/lib/drivers/sound/mmixer/wave.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/w… ============================================================================== --- trunk/reactos/lib/drivers/sound/mmixer/wave.c [iso-8859-1] (original) +++ trunk/reactos/lib/drivers/sound/mmixer/wave.c [iso-8859-1] Sat Jun 12 10:21:03 2010 @@ -360,6 +360,8 @@ WaveInfo->DeviceId = MixerData->DeviceId; WaveInfo->PinId = PinId; + // sanity check + ASSERT(wcslen(DeviceName) < MAXPNAMELEN); /* copy device name */ if (bWaveIn) @@ -419,9 +421,6 @@ /* free dataranges buffer */ MixerContext->Free(MultipleItem); - - - if (bWaveIn) {