Author: tkreuzer Date: Tue Apr 1 13:21:06 2008 New Revision: 32810
URL: http://svn.reactos.org/svn/reactos?rev=32810&view=rev Log: fix handling of unsafe string parameter in NtGdiGetFontResourceInfoInternalW
Modified: trunk/reactos/subsystems/win32/win32k/objects/text.c
Modified: trunk/reactos/subsystems/win32/win32k/objects/text.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/obj... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] Tue Apr 1 13:21:06 2008 @@ -4358,6 +4358,7 @@ DWORD dwBytes; UNICODE_STRING SafeFileNames; BOOL bRet = FALSE; + ULONG cbStringSize;
union { @@ -4375,13 +4376,26 @@ return FALSE; }
- /* Check buffers and copy pwszFiles */ + /* Allocate a safe unicode string buffer */ + cbStringSize = cwc * sizeof(WCHAR); + SafeFileNames.MaximumLength = SafeFileNames.Length = cbStringSize - sizeof(WCHAR); + SafeFileNames.Buffer = ExAllocatePoolWithTag(PagedPool, + cbStringSize, + TAG('R','T','S','U')); + if (!SafeFileNames.Buffer) + { + SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY); + return FALSE; + } + + /* Check buffers and copy pwszFiles to safe unicode string */ _SEH_TRY { - ProbeForRead(pwszFiles, cwc * sizeof(WCHAR), 1); - bRet = RtlCreateUnicodeString(&SafeFileNames, pwszFiles); + ProbeForRead(pwszFiles, cbStringSize, 1); ProbeForWrite(pdwBytes, sizeof(DWORD), 1); ProbeForWrite(pvBuf, cjIn, 1); + + RtlCopyMemory(SafeFileNames.Buffer, pwszFiles, cbStringSize); } _SEH_HANDLE { @@ -4389,20 +4403,15 @@ } _SEH_END
- if(!bRet) - { - /* Could not create the unicode string, so return instantly */ + if(!NT_SUCCESS(Status)) + { + SetLastNtError(Status); + /* Free the string buffer for the safe filename */ + ExFreePool(SafeFileNames.Buffer); return FALSE; }
- if(!NT_SUCCESS(Status)) - { - SetLastNtError(Status); - /* Free the string for the filename */ - RtlFreeUnicodeString(&SafeFileNames); - return FALSE; - } - + /* Do the actual call */ bRet = IntGdiGetFontResourceInfo(&SafeFileNames, &Buffer, &dwBytes, dwType);
/* Check if succeeded and the buffer is big enough */ @@ -4428,8 +4437,8 @@ } }
- /* Free the string for the filename */ - RtlFreeUnicodeString(&SafeFileNames); + /* Free the string for the safe filenames */ + ExFreePool(SafeFileNames.Buffer);
return bRet; }