- Allocate the csrss request buffer from heap if the necessary length is larger than the request structure.  
- Fixed some buffer length calculations.
Modified: trunk/reactos/include/subsys/csrss/csrss.h
Modified: trunk/reactos/lib/kernel32/misc/console.c
Modified: trunk/reactos/subsys/csrss/api/wapi.c
Modified: trunk/reactos/subsys/csrss/win32csr/conio.c

Modified: trunk/reactos/include/subsys/csrss/csrss.h
--- trunk/reactos/include/subsys/csrss/csrss.h	2005-08-28 11:58:06 UTC (rev 17581)
+++ trunk/reactos/include/subsys/csrss/csrss.h	2005-08-28 12:03:25 UTC (rev 17582)
@@ -412,12 +412,12 @@
 
 #define CSR_API_MESSAGE_HEADER_SIZE(Type)       (FIELD_OFFSET(CSR_API_MESSAGE, Data) + sizeof(Type))
 #define CSRSS_MAX_WRITE_CONSOLE                 (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE))
-#define CSRSS_MAX_SET_TITLE                     (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_SET_TITLE))
 #define CSRSS_MAX_WRITE_CONSOLE_OUTPUT_CHAR     (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_CHAR))
 #define CSRSS_MAX_WRITE_CONSOLE_OUTPUT_ATTRIB   (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB))
 #define CSRSS_MAX_READ_CONSOLE                  (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE))
 #define CSRSS_MAX_READ_CONSOLE_OUTPUT_CHAR      (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_CHAR))
 #define CSRSS_MAX_READ_CONSOLE_OUTPUT_ATTRIB    (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_ATTRIB))
+#define CSRSS_MAX_GET_PROCESS_LIST              (LPC_MAX_DATA_LENGTH - CSR_API_MESSAGE_HEADER_SIZE(CSRSS_GET_PROCESS_LIST))
 
 /* WCHARs, not bytes! */
 #define CSRSS_MAX_TITLE_LENGTH          80
@@ -462,7 +462,7 @@
 #define GET_OUTPUT_HANDLE             (0x25)
 #define CLOSE_HANDLE                  (0x26)
 #define VERIFY_HANDLE                 (0x27)
-#define DUPLICATE_HANDLE		    (0x28)
+#define DUPLICATE_HANDLE	      (0x28)
 #define SETGET_CONSOLE_HW_STATE       (0x29)
 #define GET_CONSOLE_WINDOW            (0x2A)
 #define CREATE_DESKTOP                (0x2B)
@@ -475,7 +475,7 @@
 #define SET_CONSOLE_CP                (0x32)
 #define GET_CONSOLE_OUTPUT_CP         (0x33)
 #define SET_CONSOLE_OUTPUT_CP         (0x34)
-#define GET_INPUT_WAIT_HANDLE	    (0x35)
+#define GET_INPUT_WAIT_HANDLE	      (0x35)
 #define GET_PROCESS_LIST              (0x36)
 
 /* Keep in sync with definition below. */
@@ -483,76 +483,65 @@
 
 typedef struct _CSR_API_MESSAGE
 {
+    PORT_MESSAGE Header;
+    ULONG Type;
+    NTSTATUS Status;
     union
     {
-        PORT_MESSAGE Header;
-        union
-        {
-            struct
-            {
-                BYTE HeaderReserved[sizeof(PORT_MESSAGE)];
-                ULONG Type;
-                NTSTATUS Status;
-                union
-                {
-                    CSRSS_CREATE_PROCESS CreateProcessRequest;
-                    CSRSS_CONNECT_PROCESS ConnectRequest;
-                    CSRSS_WRITE_CONSOLE WriteConsoleRequest;
-                    CSRSS_READ_CONSOLE ReadConsoleRequest;
-                    CSRSS_ALLOC_CONSOLE AllocConsoleRequest;
-                    CSRSS_SCREEN_BUFFER_INFO ScreenBufferInfoRequest;
-                    CSRSS_SET_CURSOR SetCursorRequest;
-                    CSRSS_FILL_OUTPUT FillOutputRequest;
-                    CSRSS_READ_INPUT ReadInputRequest;
-                    CSRSS_WRITE_CONSOLE_OUTPUT_CHAR WriteConsoleOutputCharRequest;
-                    CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB WriteConsoleOutputAttribRequest;
-                    CSRSS_FILL_OUTPUT_ATTRIB FillOutputAttribRequest;
-                    CSRSS_SET_CURSOR_INFO SetCursorInfoRequest;
-                    CSRSS_GET_CURSOR_INFO GetCursorInfoRequest;
-                    CSRSS_SET_ATTRIB SetAttribRequest;
-                    CSRSS_SET_CONSOLE_MODE SetConsoleModeRequest;
-                    CSRSS_GET_CONSOLE_MODE GetConsoleModeRequest;
-                    CSRSS_CREATE_SCREEN_BUFFER CreateScreenBufferRequest;
-                    CSRSS_SET_SCREEN_BUFFER SetScreenBufferRequest;
-                    CSRSS_SET_TITLE SetTitleRequest;
-                    CSRSS_GET_TITLE GetTitleRequest;
-                    CSRSS_WRITE_CONSOLE_OUTPUT WriteConsoleOutputRequest;
-                    CSRSS_FLUSH_INPUT_BUFFER FlushInputBufferRequest;
-                    CSRSS_SCROLL_CONSOLE_SCREEN_BUFFER ScrollConsoleScreenBufferRequest;
-                    CSRSS_READ_CONSOLE_OUTPUT_CHAR ReadConsoleOutputCharRequest;
-                    CSRSS_READ_CONSOLE_OUTPUT_ATTRIB ReadConsoleOutputAttribRequest;
-                    CSRSS_GET_NUM_INPUT_EVENTS GetNumInputEventsRequest;
-                    CSRSS_REGISTER_SERVICES_PROCESS RegisterServicesProcessRequest;
-                    CSRSS_EXIT_REACTOS ExitReactosRequest;
-                    CSRSS_SET_SHUTDOWN_PARAMETERS SetShutdownParametersRequest;
-                    CSRSS_GET_SHUTDOWN_PARAMETERS GetShutdownParametersRequest;
-                    CSRSS_PEEK_CONSOLE_INPUT PeekConsoleInputRequest;
-                    CSRSS_READ_CONSOLE_OUTPUT ReadConsoleOutputRequest;
-                    CSRSS_WRITE_CONSOLE_INPUT WriteConsoleInputRequest;
-                    CSRSS_GET_INPUT_HANDLE GetInputHandleRequest;
-                    CSRSS_GET_OUTPUT_HANDLE GetOutputHandleRequest;
-                    CSRSS_CLOSE_HANDLE CloseHandleRequest;
-                    CSRSS_VERIFY_HANDLE VerifyHandleRequest;
-                    CSRSS_DUPLICATE_HANDLE DuplicateHandleRequest;
-                    CSRSS_SETGET_CONSOLE_HW_STATE ConsoleHardwareStateRequest;
-                    CSRSS_GET_CONSOLE_WINDOW GetConsoleWindowRequest;
-                    CSRSS_CREATE_DESKTOP CreateDesktopRequest;
-                    CSRSS_SHOW_DESKTOP ShowDesktopRequest;
-                    CSRSS_HIDE_DESKTOP HideDesktopRequest;
-                    CSRSS_SET_CONSOLE_ICON SetConsoleIconRequest;
-                    CSRSS_SET_LOGON_NOTIFY_WINDOW SetLogonNotifyWindowRequest;
-                    CSRSS_REGISTER_LOGON_PROCESS RegisterLogonProcessRequest;
-                    CSRSS_GET_CONSOLE_CP GetConsoleCodePage;
-                    CSRSS_SET_CONSOLE_CP SetConsoleCodePage;
-                    CSRSS_GET_CONSOLE_OUTPUT_CP GetConsoleOutputCodePage;
-                    CSRSS_SET_CONSOLE_OUTPUT_CP SetConsoleOutputCodePage;
-                    CSRSS_GET_INPUT_WAIT_HANDLE GetConsoleInputWaitHandle;
-                    CSRSS_GET_PROCESS_LIST GetProcessListRequest;
-                } Data;
-            };
-            UCHAR PadBuffer[PORT_MAXIMUM_MESSAGE_LENGTH];
-        };
-    };
+        CSRSS_CREATE_PROCESS CreateProcessRequest;
+        CSRSS_CONNECT_PROCESS ConnectRequest;
+        CSRSS_WRITE_CONSOLE WriteConsoleRequest;
+        CSRSS_READ_CONSOLE ReadConsoleRequest;
+        CSRSS_ALLOC_CONSOLE AllocConsoleRequest;
+        CSRSS_SCREEN_BUFFER_INFO ScreenBufferInfoRequest;
+        CSRSS_SET_CURSOR SetCursorRequest;
+        CSRSS_FILL_OUTPUT FillOutputRequest;
+        CSRSS_READ_INPUT ReadInputRequest;
+        CSRSS_WRITE_CONSOLE_OUTPUT_CHAR WriteConsoleOutputCharRequest;
+        CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB WriteConsoleOutputAttribRequest;
+        CSRSS_FILL_OUTPUT_ATTRIB FillOutputAttribRequest;
+        CSRSS_SET_CURSOR_INFO SetCursorInfoRequest;
+        CSRSS_GET_CURSOR_INFO GetCursorInfoRequest;
+        CSRSS_SET_ATTRIB SetAttribRequest;
+        CSRSS_SET_CONSOLE_MODE SetConsoleModeRequest;
+        CSRSS_GET_CONSOLE_MODE GetConsoleModeRequest;
+        CSRSS_CREATE_SCREEN_BUFFER CreateScreenBufferRequest;
+        CSRSS_SET_SCREEN_BUFFER SetScreenBufferRequest;
+        CSRSS_SET_TITLE SetTitleRequest;
+        CSRSS_GET_TITLE GetTitleRequest;
+        CSRSS_WRITE_CONSOLE_OUTPUT WriteConsoleOutputRequest;
+        CSRSS_FLUSH_INPUT_BUFFER FlushInputBufferRequest;
+        CSRSS_SCROLL_CONSOLE_SCREEN_BUFFER ScrollConsoleScreenBufferRequest;
+        CSRSS_READ_CONSOLE_OUTPUT_CHAR ReadConsoleOutputCharRequest;
+        CSRSS_READ_CONSOLE_OUTPUT_ATTRIB ReadConsoleOutputAttribRequest;
+        CSRSS_GET_NUM_INPUT_EVENTS GetNumInputEventsRequest;
+        CSRSS_REGISTER_SERVICES_PROCESS RegisterServicesProcessRequest;
+        CSRSS_EXIT_REACTOS ExitReactosRequest;
+        CSRSS_SET_SHUTDOWN_PARAMETERS SetShutdownParametersRequest;
+        CSRSS_GET_SHUTDOWN_PARAMETERS GetShutdownParametersRequest;
+        CSRSS_PEEK_CONSOLE_INPUT PeekConsoleInputRequest;
+        CSRSS_READ_CONSOLE_OUTPUT ReadConsoleOutputRequest;
+        CSRSS_WRITE_CONSOLE_INPUT WriteConsoleInputRequest;
+        CSRSS_GET_INPUT_HANDLE GetInputHandleRequest;
+        CSRSS_GET_OUTPUT_HANDLE GetOutputHandleRequest;
+        CSRSS_CLOSE_HANDLE CloseHandleRequest;
+        CSRSS_VERIFY_HANDLE VerifyHandleRequest;
+        CSRSS_DUPLICATE_HANDLE DuplicateHandleRequest;
+        CSRSS_SETGET_CONSOLE_HW_STATE ConsoleHardwareStateRequest;
+        CSRSS_GET_CONSOLE_WINDOW GetConsoleWindowRequest;
+        CSRSS_CREATE_DESKTOP CreateDesktopRequest;
+        CSRSS_SHOW_DESKTOP ShowDesktopRequest;
+        CSRSS_HIDE_DESKTOP HideDesktopRequest;
+        CSRSS_SET_CONSOLE_ICON SetConsoleIconRequest;
+        CSRSS_SET_LOGON_NOTIFY_WINDOW SetLogonNotifyWindowRequest;
+        CSRSS_REGISTER_LOGON_PROCESS RegisterLogonProcessRequest;
+        CSRSS_GET_CONSOLE_CP GetConsoleCodePage;
+        CSRSS_SET_CONSOLE_CP SetConsoleCodePage;
+        CSRSS_GET_CONSOLE_OUTPUT_CP GetConsoleOutputCodePage;
+        CSRSS_SET_CONSOLE_OUTPUT_CP SetConsoleOutputCodePage;
+        CSRSS_GET_INPUT_WAIT_HANDLE GetConsoleInputWaitHandle;
+        CSRSS_GET_PROCESS_LIST GetProcessListRequest;
+    } Data;
 } CSR_API_MESSAGE, *PCSR_API_MESSAGE;
 
 #endif /* __INCLUDE_CSRSS_CSRSS_H */

Modified: trunk/reactos/lib/kernel32/misc/console.c
--- trunk/reactos/lib/kernel32/misc/console.c	2005-08-28 11:58:06 UTC (rev 17581)
+++ trunk/reactos/lib/kernel32/misc/console.c	2005-08-28 12:03:25 UTC (rev 17582)
@@ -1097,7 +1097,7 @@
                 LPVOID lpReserved,
                 BOOL bUnicode)
 {
-  CSR_API_MESSAGE Request; 
+  PCSR_API_MESSAGE Request; 
   ULONG CsrRequest;
   NTSTATUS Status;
   USHORT nChars;
@@ -1105,40 +1105,51 @@
   DWORD Written = 0;
 
   CharSize = (bUnicode ? sizeof(WCHAR) : sizeof(CHAR));
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0, 
+                            max(sizeof(CSR_API_MESSAGE), 
+                                CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE) 
+                                  + min(nNumberOfCharsToWrite, CSRSS_MAX_WRITE_CONSOLE / CharSize) * CharSize));
+  if (Request == NULL)
+  {
+    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+    return FALSE;
+  }
 
   CsrRequest = MAKE_CSR_API(WRITE_CONSOLE, CSR_CONSOLE);
-  Request.Data.WriteConsoleRequest.ConsoleHandle = hConsoleOutput;
-  Request.Data.WriteConsoleRequest.Unicode = bUnicode;
+  Request->Data.WriteConsoleRequest.ConsoleHandle = hConsoleOutput;
+  Request->Data.WriteConsoleRequest.Unicode = bUnicode;
 
   while(nNumberOfCharsToWrite > 0)
   {
-    nChars = min(nNumberOfCharsToWrite, CSRSS_MAX_WRITE_CONSOLE) / CharSize;
-    Request.Data.WriteConsoleRequest.NrCharactersToWrite = nChars;
+    nChars = min(nNumberOfCharsToWrite, CSRSS_MAX_WRITE_CONSOLE / CharSize);
+    Request->Data.WriteConsoleRequest.NrCharactersToWrite = nChars;
 
     SizeBytes = nChars * CharSize;
 
-    memcpy(Request.Data.WriteConsoleRequest.Buffer, lpBuffer, SizeBytes);
+    memcpy(Request->Data.WriteConsoleRequest.Buffer, lpBuffer, SizeBytes);
 
-    Status = CsrClientCallServer(&Request,
+    Status = CsrClientCallServer(Request,
                                  NULL,
                                  CsrRequest,
-                                 sizeof(CSR_API_MESSAGE));
+                                 max(sizeof(CSR_API_MESSAGE), CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE) + SizeBytes));
 
-    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))
+    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request->Status))
     {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus(Status);
       return FALSE;
     }
 
     nNumberOfCharsToWrite -= nChars;
     lpBuffer = (PVOID)((ULONG_PTR)lpBuffer + (ULONG_PTR)SizeBytes);
-    Written += Request.Data.WriteConsoleRequest.NrCharactersWritten;
+    Written += Request->Data.WriteConsoleRequest.NrCharactersWritten;
   }
 
   if(lpNumberOfCharsWritten != NULL)
   {
     *lpNumberOfCharsWritten = Written;
   }
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
 
   return TRUE;
 }
@@ -1196,20 +1207,29 @@
                LPVOID lpReserved,
                BOOL bUnicode)
 {
-  CSR_API_MESSAGE Request; 
+  PCSR_API_MESSAGE Request; 
   ULONG CsrRequest;
   NTSTATUS Status;
   ULONG CharSize, CharsRead = 0;
 
   CharSize = (bUnicode ? sizeof(WCHAR) : sizeof(CHAR));
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max(sizeof(CSR_API_MESSAGE),
+                                CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE) 
+                                  + min(nNumberOfCharsToRead, CSRSS_MAX_READ_CONSOLE / CharSize) * CharSize));
+  if (Request == NULL)
+  {
+    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+    return FALSE;
+  }
 
-  Request.Status = STATUS_SUCCESS;
+  Request->Status = STATUS_SUCCESS;
 
   do
   {
-    if(Request.Status == STATUS_PENDING)
+    if(Request->Status == STATUS_PENDING)
     {
-      Status = NtWaitForSingleObject(Request.Data.ReadConsoleRequest.EventHandle, FALSE, 0);
+      Status = NtWaitForSingleObject(Request->Data.ReadConsoleRequest.EventHandle, FALSE, 0);
       if(!NT_SUCCESS(Status))
       {
         DPRINT1("Wait for console input failed!\n");
@@ -1218,44 +1238,49 @@
     }
 
     CsrRequest = MAKE_CSR_API(READ_CONSOLE, CSR_CONSOLE);
-    Request.Data.ReadConsoleRequest.ConsoleHandle = hConsoleInput;
-    Request.Data.ReadConsoleRequest.Unicode = bUnicode;
-    Request.Data.ReadConsoleRequest.NrCharactersToRead = min(nNumberOfCharsToRead, CSRSS_MAX_READ_CONSOLE) / CharSize;
-    Request.Data.ReadConsoleRequest.nCharsCanBeDeleted = CharsRead;
-    Status = CsrClientCallServer(&Request,
+    Request->Data.ReadConsoleRequest.ConsoleHandle = hConsoleInput;
+    Request->Data.ReadConsoleRequest.Unicode = bUnicode;
+    Request->Data.ReadConsoleRequest.NrCharactersToRead = min(nNumberOfCharsToRead, CSRSS_MAX_READ_CONSOLE / CharSize);
+    Request->Data.ReadConsoleRequest.nCharsCanBeDeleted = CharsRead;
+    Status = CsrClientCallServer(Request,
                                  NULL,
                                  CsrRequest,
-                                 sizeof(CSR_API_MESSAGE));
+                                 max(sizeof(CSR_API_MESSAGE), 
+                                     CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE) 
+                                       + Request->Data.ReadConsoleRequest.NrCharactersToRead * CharSize));
 
-    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))
+    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request->Status))
     {
       DPRINT1("CSR returned error in ReadConsole\n");
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus(Status);
       return FALSE;
     }
 
-    nNumberOfCharsToRead -= Request.Data.ReadConsoleRequest.NrCharactersRead;
+    nNumberOfCharsToRead -= Request->Data.ReadConsoleRequest.NrCharactersRead;
     memcpy((PVOID)((ULONG_PTR)lpBuffer + (ULONG_PTR)(CharsRead * CharSize)),
-           Request.Data.ReadConsoleRequest.Buffer,
-           Request.Data.ReadConsoleRequest.NrCharactersRead * CharSize);
-    CharsRead += Request.Data.ReadConsoleRequest.NrCharactersRead;
+           Request->Data.ReadConsoleRequest.Buffer,
+           Request->Data.ReadConsoleRequest.NrCharactersRead * CharSize);
+    CharsRead += Request->Data.ReadConsoleRequest.NrCharactersRead;
 
-    if(Request.Status == STATUS_NOTIFY_CLEANUP)
+    if(Request->Status == STATUS_NOTIFY_CLEANUP)
     {
       if(CharsRead > 0)
       {
         CharsRead--;
         nNumberOfCharsToRead++;
       }
-      Request.Status = STATUS_PENDING;
+      Request->Status = STATUS_PENDING;
     }
-  } while(Request.Status == STATUS_PENDING && nNumberOfCharsToRead > 0);
+  } while(Request->Status == STATUS_PENDING && nNumberOfCharsToRead > 0);
 
   if(lpNumberOfCharsRead != NULL)
   {
     *lpNumberOfCharsRead = CharsRead;
   }
 
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return TRUE;
 }
 
@@ -2018,7 +2043,7 @@
                               LPDWORD lpNumberOfCharsRead,
                               BOOL bUnicode)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   NTSTATUS Status;
   ULONG nChars, SizeBytes, CharSize;
   DWORD CharsRead = 0;
@@ -2028,35 +2053,47 @@
   nChars = min(nLength, CSRSS_MAX_READ_CONSOLE_OUTPUT_CHAR) / CharSize;
   SizeBytes = nChars * CharSize;
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max(sizeof(CSR_API_MESSAGE),
+                                CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_CHAR) 
+                                  + min (nChars, CSRSS_MAX_READ_CONSOLE_OUTPUT_CHAR / CharSize) * CharSize));
+  if (Request == NULL)
+  {
+    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+    return FALSE;
+  }
+
   CsrRequest = MAKE_CSR_API(READ_CONSOLE_OUTPUT_CHAR, CSR_CONSOLE);
-  Request.Data.ReadConsoleOutputCharRequest.ConsoleHandle = hConsoleOutput;
-  Request.Data.ReadConsoleOutputCharRequest.Unicode = bUnicode;
-  Request.Data.ReadConsoleOutputCharRequest.ReadCoord = dwReadCoord;
+  Request->Data.ReadConsoleOutputCharRequest.ConsoleHandle = hConsoleOutput;
+  Request->Data.ReadConsoleOutputCharRequest.Unicode = bUnicode;
+  Request->Data.ReadConsoleOutputCharRequest.ReadCoord = dwReadCoord;
 
   while(nLength > 0)
   {
     DWORD BytesRead;
 
-    Request.Data.ReadConsoleOutputCharRequest.NumCharsToRead = min(nLength, nChars);
-    SizeBytes = Request.Data.ReadConsoleOutputCharRequest.NumCharsToRead * CharSize;
+    Request->Data.ReadConsoleOutputCharRequest.NumCharsToRead = min(nLength, nChars);
+    SizeBytes = Request->Data.ReadConsoleOutputCharRequest.NumCharsToRead * CharSize;
 
-    Status = CsrClientCallServer(&Request,
+    Status = CsrClientCallServer(Request,
                                  NULL,
                                  CsrRequest,
-                                 sizeof(CSR_API_MESSAGE));
-    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Request.Status))
+                                 max (sizeof(CSR_API_MESSAGE), 
+                                      CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_CHAR) + SizeBytes));
+    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Request->Status))
     {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus(Status);
       break;
     }
 
-    BytesRead = Request.Data.ReadConsoleOutputCharRequest.CharsRead * CharSize;
-    memcpy(lpCharacter, Request.Data.ReadConsoleOutputCharRequest.String, BytesRead);
+    BytesRead = Request->Data.ReadConsoleOutputCharRequest.CharsRead * CharSize;
+    memcpy(lpCharacter, Request->Data.ReadConsoleOutputCharRequest.String, BytesRead);
     lpCharacter = (PVOID)((ULONG_PTR)lpCharacter + (ULONG_PTR)BytesRead);
-    CharsRead += Request.Data.ReadConsoleOutputCharRequest.CharsRead;
-    nLength -= Request.Data.ReadConsoleOutputCharRequest.CharsRead;
+    CharsRead += Request->Data.ReadConsoleOutputCharRequest.CharsRead;
+    nLength -= Request->Data.ReadConsoleOutputCharRequest.CharsRead;
 
-    Request.Data.ReadConsoleOutputCharRequest.ReadCoord = Request.Data.ReadConsoleOutputCharRequest.EndCoord;
+    Request->Data.ReadConsoleOutputCharRequest.ReadCoord = Request->Data.ReadConsoleOutputCharRequest.EndCoord;
   }
 
   if(lpNumberOfCharsRead != NULL)
@@ -2064,6 +2101,8 @@
     *lpNumberOfCharsRead = CharsRead;
   }
 
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return TRUE;
 }
 
@@ -2131,16 +2170,26 @@
 	LPDWORD		lpNumberOfAttrsRead
 	)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   NTSTATUS Status;
   DWORD Size;
 
   if (lpNumberOfAttrsRead != NULL)
     *lpNumberOfAttrsRead = nLength;
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max(sizeof(CSR_API_MESSAGE),
+                                CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_ATTRIB)
+                                  + min (nLength, CSRSS_MAX_READ_CONSOLE_OUTPUT_ATTRIB / sizeof(WORD)) * sizeof(WORD)));
+  if (Request == NULL)
+  {
+    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+    return FALSE;
+  }
+
   CsrRequest = MAKE_CSR_API(READ_CONSOLE_OUTPUT_ATTRIB, CSR_CONSOLE);
-  Request.Data.ReadConsoleOutputAttribRequest.ConsoleHandle = hConsoleOutput;
-  Request.Data.ReadConsoleOutputAttribRequest.ReadCoord = dwReadCoord;
+  Request->Data.ReadConsoleOutputAttribRequest.ConsoleHandle = hConsoleOutput;
+  Request->Data.ReadConsoleOutputAttribRequest.ReadCoord = dwReadCoord;
 
   while (nLength != 0)
     {
@@ -2149,24 +2198,28 @@
       else
 	Size = nLength;
 
-      Request.Data.ReadConsoleOutputAttribRequest.NumAttrsToRead = Size;
+      Request->Data.ReadConsoleOutputAttribRequest.NumAttrsToRead = Size;
 
-      Status = CsrClientCallServer(&Request,
+      Status = CsrClientCallServer(Request,
 				   NULL,
 				   CsrRequest,
-				   sizeof(CSR_API_MESSAGE));
-      if (!NT_SUCCESS(Status) || !NT_SUCCESS(Request.Status))
+                                   max (sizeof(CSR_API_MESSAGE),
+                                        CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE_OUTPUT_ATTRIB) + Size * sizeof(WORD)));
+      if (!NT_SUCCESS(Status) || !NT_SUCCESS(Request->Status))
 	{
+          RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
 	  SetLastErrorByStatus(Status);
 	  return(FALSE);
 	}
 
-      memcpy(lpAttribute, Request.Data.ReadConsoleOutputAttribRequest.Attribute, Size * sizeof(WORD));
+      memcpy(lpAttribute, Request->Data.ReadConsoleOutputAttribRequest.Attribute, Size * sizeof(WORD));
       lpAttribute += Size;
       nLength -= Size;
-      Request.Data.ReadConsoleOutputAttribRequest.ReadCoord = Request.Data.ReadConsoleOutputAttribRequest.EndCoord;
+      Request->Data.ReadConsoleOutputAttribRequest.ReadCoord = Request->Data.ReadConsoleOutputAttribRequest.EndCoord;
     }
 
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return(TRUE);
 }
 
@@ -2179,7 +2232,7 @@
                                LPDWORD lpNumberOfCharsWritten,
                                BOOL bUnicode)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   NTSTATUS Status;
   ULONG SizeBytes, CharSize, nChars;
   DWORD Written = 0;
@@ -2189,36 +2242,48 @@
   nChars = min(nLength, CSRSS_MAX_WRITE_CONSOLE_OUTPUT_CHAR / CharSize);
   SizeBytes = nChars * CharSize;
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max (sizeof(CSR_API_MESSAGE),
+                                 CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_CHAR) 
+                                   + min (nChars, CSRSS_MAX_WRITE_CONSOLE_OUTPUT_CHAR / CharSize) * CharSize));
+  if (Request == NULL)
+  {
+    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+    return FALSE;
+  }
+
   CsrRequest = MAKE_CSR_API(WRITE_CONSOLE_OUTPUT_CHAR, CSR_CONSOLE);
-  Request.Data.WriteConsoleOutputCharRequest.ConsoleHandle = hConsoleOutput;
-  Request.Data.WriteConsoleOutputCharRequest.Unicode = bUnicode;
-  Request.Data.WriteConsoleOutputCharRequest.Coord = dwWriteCoord;
+  Request->Data.WriteConsoleOutputCharRequest.ConsoleHandle = hConsoleOutput;
+  Request->Data.WriteConsoleOutputCharRequest.Unicode = bUnicode;
+  Request->Data.WriteConsoleOutputCharRequest.Coord = dwWriteCoord;
 
   while(nLength > 0)
   {
     DWORD BytesWrite;
 
-    Request.Data.WriteConsoleOutputCharRequest.Length = min(nLength, nChars);
-    BytesWrite = Request.Data.WriteConsoleOutputCharRequest.Length * CharSize;
+    Request->Data.WriteConsoleOutputCharRequest.Length = min(nLength, nChars);
+    BytesWrite = Request->Data.WriteConsoleOutputCharRequest.Length * CharSize;
 
-    memcpy(Request.Data.WriteConsoleOutputCharRequest.String, lpCharacter, BytesWrite);
+    memcpy(Request->Data.WriteConsoleOutputCharRequest.String, lpCharacter, BytesWrite);
 
-    Status = CsrClientCallServer(&Request, 
+    Status = CsrClientCallServer(Request, 
                                  NULL,
                                  CsrRequest,
-                                 sizeof(CSR_API_MESSAGE));
+                                 max (sizeof(CSR_API_MESSAGE),
+                                      CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_CHAR) + BytesWrite));
 
-    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))
+    if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request->Status))
     {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus(Status);
       return FALSE;
     }
 
-    nLength -= Request.Data.WriteConsoleOutputCharRequest.NrCharactersWritten;
-    lpCharacter = (PVOID)((ULONG_PTR)lpCharacter + (ULONG_PTR)(Request.Data.WriteConsoleOutputCharRequest.NrCharactersWritten * CharSize));
-    Written += Request.Data.WriteConsoleOutputCharRequest.NrCharactersWritten;
+    nLength -= Request->Data.WriteConsoleOutputCharRequest.NrCharactersWritten;
+    lpCharacter = (PVOID)((ULONG_PTR)lpCharacter + (ULONG_PTR)(Request->Data.WriteConsoleOutputCharRequest.NrCharactersWritten * CharSize));
+    Written += Request->Data.WriteConsoleOutputCharRequest.NrCharactersWritten;
 
-    Request.Data.WriteConsoleOutputCharRequest.Coord = Request.Data.WriteConsoleOutputCharRequest.EndCoord;
+    Request->Data.WriteConsoleOutputCharRequest.Coord = Request->Data.WriteConsoleOutputCharRequest.EndCoord;
   }
 
   if(lpNumberOfCharsWritten != NULL)
@@ -2226,6 +2291,8 @@
     *lpNumberOfCharsWritten = Written;
   }
 
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return TRUE;
 }
 
@@ -2287,32 +2354,50 @@
 	LPDWORD		 lpNumberOfAttrsWritten
 	)
 {
-   CSR_API_MESSAGE Request; ULONG CsrRequest;
+   PCSR_API_MESSAGE Request; ULONG CsrRequest;
    NTSTATUS Status;
    WORD Size;
 
+   Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                             max (sizeof(CSR_API_MESSAGE),
+                                  CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB)
+                                    + min(nLength, CSRSS_MAX_WRITE_CONSOLE_OUTPUT_ATTRIB / sizeof(WORD)) * sizeof(WORD)));
+   if (Request == NULL)
+   {
+      SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+      return FALSE;
+   }
+
    CsrRequest = MAKE_CSR_API(WRITE_CONSOLE_OUTPUT_ATTRIB, CSR_CONSOLE);
-   Request.Data.WriteConsoleOutputAttribRequest.ConsoleHandle = hConsoleOutput;
-   Request.Data.WriteConsoleOutputAttribRequest.Coord = dwWriteCoord;
+   Request->Data.WriteConsoleOutputAttribRequest.ConsoleHandle = hConsoleOutput;
+   Request->Data.WriteConsoleOutputAttribRequest.Coord = dwWriteCoord;
    if( lpNumberOfAttrsWritten )
       *lpNumberOfAttrsWritten = nLength;
    while( nLength )
       {
 	 Size = min(nLength, CSRSS_MAX_WRITE_CONSOLE_OUTPUT_ATTRIB / sizeof(WORD));
-	 Request.Data.WriteConsoleOutputAttribRequest.Length = Size;
-         memcpy(Request.Data.WriteConsoleOutputAttribRequest.Attribute, lpAttribute, Size * sizeof(WORD));
+	 Request->Data.WriteConsoleOutputAttribRequest.Length = Size;
+         memcpy(Request->Data.WriteConsoleOutputAttribRequest.Attribute, lpAttribute, Size * sizeof(WORD));
 
-	 Status = CsrClientCallServer( &Request, NULL, CsrRequest, sizeof(CSR_API_MESSAGE));
-	 if( !NT_SUCCESS( Status ) || !NT_SUCCESS( Status = Request.Status ) )
+	 Status = CsrClientCallServer( Request, 
+                                       NULL, 
+                                       CsrRequest, 
+                                       max (sizeof(CSR_API_MESSAGE),
+                                            CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB) + Size * sizeof(WORD)));
+                                            
+	 if( !NT_SUCCESS( Status ) || !NT_SUCCESS( Status = Request->Status ) )
 	    {
+               RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
 	       SetLastErrorByStatus ( Status );
 	       return FALSE;
 	    }
 	 nLength -= Size;
 	 lpAttribute += Size;
-	 Request.Data.WriteConsoleOutputAttribRequest.Coord = Request.Data.WriteConsoleOutputAttribRequest.EndCoord;
+	 Request->Data.WriteConsoleOutputAttribRequest.Coord = Request->Data.WriteConsoleOutputAttribRequest.EndCoord;
       }
 
+   RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
    return TRUE;
 }
 
@@ -2879,7 +2964,7 @@
 	DWORD		nSize
 	)
 {
-   CSR_API_MESSAGE Request; ULONG CsrRequest;
+   PCSR_API_MESSAGE Request; ULONG CsrRequest;
    NTSTATUS Status;
    HANDLE hConsole;
 
@@ -2889,32 +2974,43 @@
       return 0;
    }
 
+   Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                             CSR_API_MESSAGE_HEADER_SIZE(CSRSS_GET_TITLE) + CSRSS_MAX_TITLE_LENGTH * sizeof(WCHAR));
+   if (Request == NULL)
+   {
+      SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+      return FALSE;
+   }
+
    CsrRequest = MAKE_CSR_API(GET_TITLE, CSR_CONSOLE);
-   Request.Data.GetTitleRequest.ConsoleHandle = hConsole;
+   Request->Data.GetTitleRequest.ConsoleHandle = hConsole;
 
-   Status = CsrClientCallServer(&Request, 
+   Status = CsrClientCallServer(Request, 
                                 NULL, 
                                 CsrRequest, 
-                                sizeof(CSR_API_MESSAGE));
+                                CSR_API_MESSAGE_HEADER_SIZE(CSRSS_GET_TITLE) + CSRSS_MAX_TITLE_LENGTH * sizeof(WCHAR));
    CloseHandle(hConsole);
-   if(!NT_SUCCESS(Status) || !(NT_SUCCESS(Status = Request.Status)))
+   if(!NT_SUCCESS(Status) || !(NT_SUCCESS(Status = Request->Status)))
    {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus(Status);
       return 0;
    }
 
-   if(nSize * sizeof(WCHAR) < Request.Data.GetTitleRequest.Length)
+   if(nSize * sizeof(WCHAR) < Request->Data.GetTitleRequest.Length)
    {
-      wcsncpy(lpConsoleTitle, Request.Data.GetTitleRequest.Title, nSize - 1);
+      wcsncpy(lpConsoleTitle, Request->Data.GetTitleRequest.Title, nSize - 1);
       lpConsoleTitle[nSize--] = L'\0';
    }
    else
    {
-      nSize = Request.Data.GetTitleRequest.Length / sizeof (WCHAR);
-      wcscpy(lpConsoleTitle, Request.Data.GetTitleRequest.Title);
+      nSize = Request->Data.GetTitleRequest.Length / sizeof (WCHAR);
+      wcscpy(lpConsoleTitle, Request->Data.GetTitleRequest.Title);
       lpConsoleTitle[nSize] = L'\0';
    }
 
+   RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
    return nSize;
 }
 
@@ -2971,7 +3067,7 @@
 	LPCWSTR		lpConsoleTitle
 	)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   NTSTATUS Status;
   unsigned int c;
   HANDLE hConsole;
@@ -2982,24 +3078,36 @@
      return FALSE;
   }
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max (sizeof(CSR_API_MESSAGE),
+                                 CSR_API_MESSAGE_HEADER_SIZE(CSRSS_SET_TITLE) + 
+                                 min (wcslen(lpConsoleTitle), CSRSS_MAX_TITLE_LENGTH) * sizeof(WCHAR)));
+  if (Request == NULL)
+  {
+     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+     return FALSE;
+  }
+
   CsrRequest = MAKE_CSR_API(SET_TITLE, CSR_CONSOLE);
-  Request.Data.SetTitleRequest.Console = hConsole;
+  Request->Data.SetTitleRequest.Console = hConsole;
 
   for( c = 0; lpConsoleTitle[c] && c < CSRSS_MAX_TITLE_LENGTH; c++ )
-    Request.Data.SetTitleRequest.Title[c] = lpConsoleTitle[c];
-  // add null
-  Request.Data.SetTitleRequest.Title[c] = 0;
-  Request.Data.SetTitleRequest.Length = c;
-  Status = CsrClientCallServer(&Request,
+    Request->Data.SetTitleRequest.Title[c] = lpConsoleTitle[c];
+  Request->Data.SetTitleRequest.Length = c * sizeof(WCHAR);
+  Status = CsrClientCallServer(Request,
 			       NULL,
                                CsrRequest,
-			       sizeof(CSR_API_MESSAGE));
+			       max (sizeof(CSR_API_MESSAGE), CSR_API_MESSAGE_HEADER_SIZE(CSRSS_SET_TITLE) + c * sizeof(WCHAR)));
   CloseHandle(hConsole);
-  if (!NT_SUCCESS(Status) || !NT_SUCCESS( Status = Request.Status ) )
+  if (!NT_SUCCESS(Status) || !NT_SUCCESS( Status = Request->Status ) )
     {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus (Status);
       return(FALSE);
     }
+
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return TRUE;
 }
 
@@ -3017,7 +3125,7 @@
 	LPCSTR		lpConsoleTitle
 	)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   NTSTATUS Status;
   unsigned int c;
   HANDLE hConsole;
@@ -3028,24 +3136,36 @@
      return FALSE;
   }
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max (sizeof(CSR_API_MESSAGE),
+                                 CSR_API_MESSAGE_HEADER_SIZE(CSRSS_SET_TITLE) + 
+                                   min (strlen(lpConsoleTitle), CSRSS_MAX_TITLE_LENGTH) * sizeof(WCHAR)));
+  if (Request == NULL)
+  {
+     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+     return FALSE;
+  }
+
   CsrRequest = MAKE_CSR_API(SET_TITLE, CSR_CONSOLE);
-  Request.Data.SetTitleRequest.Console = hConsole;
+  Request->Data.SetTitleRequest.Console = hConsole;
 
   for( c = 0; lpConsoleTitle[c] && c < CSRSS_MAX_TITLE_LENGTH; c++ )
-    Request.Data.SetTitleRequest.Title[c] = lpConsoleTitle[c];
-  // add null
-  Request.Data.SetTitleRequest.Title[c] = 0;
-  Request.Data.SetTitleRequest.Length = c;
-  Status = CsrClientCallServer(&Request,
+    Request->Data.SetTitleRequest.Title[c] = lpConsoleTitle[c];
+  Request->Data.SetTitleRequest.Length = c * sizeof(WCHAR);
+  Status = CsrClientCallServer(Request,
 			       NULL,
                                CsrRequest,
-			       sizeof(CSR_API_MESSAGE));
+			       max (sizeof(CSR_API_MESSAGE), CSR_API_MESSAGE_HEADER_SIZE(CSRSS_SET_TITLE) + c * sizeof(WCHAR)));
   CloseHandle(hConsole);
-  if (!NT_SUCCESS(Status) || !NT_SUCCESS( Status = Request.Status ) )
+  if (!NT_SUCCESS(Status) || !NT_SUCCESS( Status = Request->Status ) )
     {
+      RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
       SetLastErrorByStatus (Status);
       return(FALSE);
     }
+
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return TRUE;
 }
 
@@ -3194,7 +3314,7 @@
 GetConsoleProcessList(LPDWORD lpdwProcessList,
                       DWORD dwProcessCount)
 {
-  CSR_API_MESSAGE Request; ULONG CsrRequest;
+  PCSR_API_MESSAGE Request; ULONG CsrRequest;
   ULONG nProcesses;
   NTSTATUS Status;
 
@@ -3204,34 +3324,42 @@
     return 0;
   }
 
+  Request = RtlAllocateHeap(RtlGetProcessHeap(), 0,
+                            max (sizeof(CSR_API_MESSAGE),
+                                 CSR_API_MESSAGE_HEADER_SIZE(CSRSS_GET_PROCESS_LIST)
+                                   + min (dwProcessCount, CSRSS_MAX_GET_PROCESS_LIST / sizeof(DWORD)) * sizeof(DWORD)));
+  if (Request == NULL)
+  {
+     SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+     return FALSE;
+  }
+                                   
   CsrRequest = MAKE_CSR_API(GET_PROCESS_LIST, CSR_CONSOLE);
-  Request.Data.GetProcessListRequest.nMaxIds = dwProcessCount;
+  Request->Data.GetProcessListRequest.nMaxIds = min (dwProcessCount, CSRSS_MAX_GET_PROCESS_LIST / sizeof(DWORD));
 
-  Status = CsrClientCallServer(&Request, 
+  Status = CsrClientCallServer(Request, 
                                NULL,
                                CsrRequest,
-                               sizeof(CSR_API_MESSAGE));
-  if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))
+                               max (sizeof(CSR_API_MESSAGE),
+                                    CSR_API_MESSAGE_HEADER_SIZE(CSRSS_GET_PROCESS_LIST) 
+                                      + Request->Data.GetProcessListRequest.nMaxIds * sizeof(DWORD)));
+  if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request->Status))
   {
+    RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
     SetLastErrorByStatus (Status);
     nProcesses = 0;
   }
   else
   {
-    if(dwProcessCount >= Request.Data.GetProcessListRequest.nProcessIdsTotal)
+    nProcesses = Request->Data.GetProcessListRequest.nProcessIdsCopied;
+    if(dwProcessCount >= nProcesses)
     {
-      nProcesses = Request.Data.GetProcessListRequest.nProcessIdsCopied;
-      for(nProcesses = 0; nProcesses < Request.Data.GetProcessListRequest.nProcessIdsCopied; nProcesses++)
-      {
-        *(lpdwProcessList++) = (DWORD)Request.Data.GetProcessListRequest.ProcessId[nProcesses];
-      }
+      memcpy(lpdwProcessList, Request->Data.GetProcessListRequest.ProcessId, nProcesses * sizeof(DWORD));
     }
-    else
-    {
-      nProcesses = Request.Data.GetProcessListRequest.nProcessIdsTotal;
-    }
   }
 
+  RtlFreeHeap(RtlGetProcessHeap(), 0, Request);
+
   return nProcesses;
 }
 

Modified: trunk/reactos/subsys/csrss/api/wapi.c
--- trunk/reactos/subsys/csrss/api/wapi.c	2005-08-28 11:58:06 UTC (rev 17581)
+++ trunk/reactos/subsys/csrss/api/wapi.c	2005-08-28 12:03:25 UTC (rev 17582)
@@ -108,7 +108,8 @@
 ClientConnectionThread(HANDLE ServerPort)
 {
     NTSTATUS Status;
-    CSR_API_MESSAGE Request;
+    BYTE RawRequest[LPC_MAX_DATA_LENGTH];
+    PCSR_API_MESSAGE Request = (PCSR_API_MESSAGE)RawRequest;
     PCSR_API_MESSAGE Reply;
     PCSRSS_PROCESS_DATA ProcessData;
   
@@ -124,7 +125,7 @@
         Status = NtReplyWaitReceivePort(ServerPort,
                                         0,
                                         &Reply->Header,
-                                        &Request.Header);
+                                        &Request->Header);
         if (!NT_SUCCESS(Status))
         {
             DPRINT1("CSR: NtReplyWaitReceivePort failed\n");
@@ -132,31 +133,31 @@
         }
         
         /* If the connection was closed, handle that */
-        if (Request.Header.u2.s2.Type == LPC_PORT_CLOSED)
+        if (Request->Header.u2.s2.Type == LPC_PORT_CLOSED)
         {
-            CsrFreeProcessData( Request.Header.ClientId.UniqueProcess );
+            CsrFreeProcessData( Request->Header.ClientId.UniqueProcess );
             break;
         }
 
         DPRINT("CSR: Got CSR API: %x [Message Origin: %x]\n", 
-                Request.Type, 
-                Request.Header.ClientId.UniqueProcess);
+               Request->Type, 
+               Request->Header.ClientId.UniqueProcess);
 
         /* Get the Process Data */
-        ProcessData = CsrGetProcessData(Request.Header.ClientId.UniqueProcess);
+        ProcessData = CsrGetProcessData(Request->Header.ClientId.UniqueProcess);
         if (ProcessData == NULL)
         {
             DPRINT1("CSR: Message %d: Unable to find data for process 0x%x\n",
-                    Request.Header.u2.s2.Type,
-                    Request.Header.ClientId.UniqueProcess);
+                    Request->Header.u2.s2.Type,
+                    Request->Header.ClientId.UniqueProcess);
             break;
         }
 
         /* Call the Handler */
-        CsrApiCallHandler(ProcessData, &Request);
+        CsrApiCallHandler(ProcessData, Request);
         
         /* Send back the reply */
-        Reply = &Request;
+        Reply = Request;
     }
     
     /* Close the port and exit the thread */

Modified: trunk/reactos/subsys/csrss/win32csr/conio.c
--- trunk/reactos/subsys/csrss/win32csr/conio.c	2005-08-28 11:58:06 UTC (rev 17581)
+++ trunk/reactos/subsys/csrss/win32csr/conio.c	2005-08-28 12:03:25 UTC (rev 17582)
@@ -564,7 +564,7 @@
   /* truncate length to CSRSS_MAX_READ_CONSOLE_REQUEST */
   nNumberOfCharsToRead = min(Request->Data.ReadConsoleRequest.NrCharactersToRead, CSRSS_MAX_READ_CONSOLE / CharSize);
   Request->Header.u1.s1.TotalLength = sizeof(CSR_API_MESSAGE);
-  Request->Header.u1.s1.DataLength = Request->Header.u1.s1.TotalLength - sizeof(PORT_MESSAGE);
+  Request->Header.u1.s1.DataLength = sizeof(CSR_API_MESSAGE) - sizeof(PORT_MESSAGE);
 
   Buffer = Request->Data.ReadConsoleRequest.Buffer;
   UnicodeBuffer = (PWCHAR)Buffer;
@@ -672,9 +672,15 @@
     {
       Console->EchoCount = 0;             /* if the client is no longer waiting on input, do not echo */
     }
-  Request->Header.u1.s1.TotalLength += i * CharSize;
 
   ConioUnlockConsole(Console);
+
+  if (CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE) + i * CharSize > sizeof(CSR_API_MESSAGE))
+    {
+      Request->Header.u1.s1.TotalLength = CSR_API_MESSAGE_HEADER_SIZE(CSRSS_READ_CONSOLE) + i * CharSize;
+      Request->Header.u1.s1.DataLength = Request->Header.u1.s1.TotalLength - sizeof(PORT_MESSAGE);
+    }
+
   return Request->Status;
 }
 
@@ -923,8 +929,8 @@
 
   DPRINT("CsrWriteConsole\n");
 
-  if (Request->Header.u1.s1.DataLength
-      < sizeof(CSRSS_WRITE_CONSOLE) 
+  if (Request->Header.u1.s1.TotalLength
+      < CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE) 
         + (Request->Data.WriteConsoleRequest.NrCharactersToWrite * CharSize))
     {
       DPRINT1("Invalid request size\n");
@@ -1558,8 +1564,8 @@
 
   CharSize = (Request->Data.WriteConsoleOutputCharRequest.Unicode ? sizeof(WCHAR) : sizeof(CHAR));
 
-  if (Request->Header.u1.s1.DataLength
-      < sizeof(CSRSS_WRITE_CONSOLE_OUTPUT_CHAR) 
+  if (Request->Header.u1.s1.TotalLength
+      < CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_CHAR) 
         + (Request->Data.WriteConsoleOutputCharRequest.Length * CharSize))
     {
       DPRINT1("Invalid request size\n");
@@ -1812,9 +1818,9 @@
 
   DPRINT("CsrWriteConsoleOutputAttrib\n");
 
-  if (Request->Header.u1.s1.DataLength
-      < sizeof(CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB)
-        + Request->Data.WriteConsoleOutputAttribRequest.Length)
+  if (Request->Header.u1.s1.TotalLength
+      < CSR_API_MESSAGE_HEADER_SIZE(CSRSS_WRITE_CONSOLE_OUTPUT_ATTRIB)
+        + Request->Data.WriteConsoleOutputAttribRequest.Length * sizeof(WORD))
     {
       DPRINT1("Invalid request size\n");
       Request->Header.u1.s1.TotalLength = sizeof(CSR_API_MESSAGE);
@@ -2256,11 +2262,12 @@
 {
   NTSTATUS Status;
   PCSRSS_CONSOLE Console;
+  PWCHAR Buffer;
 
   DPRINT("CsrSetTitle\n");
 
-  if (Request->Header.u1.s1.DataLength
-      < sizeof(CSRSS_SET_TITLE) 
+  if (Request->Header.u1.s1.TotalLength
[truncated at 1000 lines; 145 more skipped]