[ros-diffs] [pschweitzer] 50904: [NTOSKNRL] For both FsRtlIsNameInExpression() & FsRtlIsDbcsInExpression(): As both UNICODE_STRING & ANSI_STRING might not be NULL-termined, don't attempt to read null char. Thi...

Author: pschweitzer Date: Fri Feb 25 20:15:51 2011 New Revision: 50904 URL: http://svn.reactos.org/svn/reactos?rev=50904&view=rev Log: [NTOSKNRL] For both FsRtlIsNameInExpression() & FsRtlIsDbcsInExpression(): As both UNICODE_STRING & ANSI_STRING might not be NULL-termined, don't attempt to read null char. This fixes potential buffer overruns. Then it fixes some (all?) 'TempPte.u.Long != 0' assertion failure. See issue #5923 for more details. Modified: trunk/reactos/ntoskrnl/fsrtl/dbcsname.c trunk/reactos/ntoskrnl/fsrtl/name.c Modified: trunk/reactos/ntoskrnl/fsrtl/dbcsname.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/fsrtl/dbcsname.c?… ============================================================================== --- trunk/reactos/ntoskrnl/fsrtl/dbcsname.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/fsrtl/dbcsname.c [iso-8859-1] Fri Feb 25 20:15:51 2011 @@ -185,10 +185,15 @@ break; case '?': - ExpressionPosition++; + if (++ExpressionPosition == Expression->Length) + { + NamePosition = Name->Length; + break; + } + MatchingChars = NamePosition; - while (Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition] && - NamePosition < Name->Length) + while (NamePosition < Name->Length && + Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition]) { NamePosition++; } @@ -200,7 +205,7 @@ break; case ANSI_DOS_DOT: - while (Name->Buffer[NamePosition] != '.' && NamePosition < Name->Length) + while (NamePosition < Name->Length && Name->Buffer[NamePosition] != '.') { NamePosition++; } @@ -246,8 +251,8 @@ else if (StarFound != MAXUSHORT) { ExpressionPosition = StarFound + 1; - while (Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition] && - NamePosition < Name->Length) + while (NamePosition < Name->Length && + Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition]) { NamePosition++; } Modified: trunk/reactos/ntoskrnl/fsrtl/name.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/fsrtl/name.c?rev=… ============================================================================== --- trunk/reactos/ntoskrnl/fsrtl/name.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/fsrtl/name.c [iso-8859-1] Fri Feb 25 20:15:51 2011 @@ -45,11 +45,16 @@ break; case L'?': - ExpressionPosition++; + if (++ExpressionPosition == Expression->Length / sizeof(WCHAR)) + { + NamePosition = Name->Length / sizeof(WCHAR); + break; + } + MatchingChars = NamePosition; - while ((IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] : - Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition] && - NamePosition < Name->Length / sizeof(WCHAR)) + while (NamePosition < Name->Length / sizeof(WCHAR) && + (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] : + Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition]) { NamePosition++; } @@ -61,8 +66,8 @@ break; case DOS_DOT: - while (Name->Buffer[NamePosition] != L'.' && - NamePosition < Name->Length / sizeof(WCHAR)) + while (NamePosition < Name->Length / sizeof(WCHAR) && + Name->Buffer[NamePosition] != L'.') { NamePosition++; } @@ -108,9 +113,9 @@ else if (StarFound != MAXUSHORT) { ExpressionPosition = StarFound + 1; - while ((IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] : - Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition] && - NamePosition < Name->Length / sizeof(WCHAR)) + while (NamePosition < Name->Length / sizeof(WCHAR) && + (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] : + Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition]) { NamePosition++; }