https://git.reactos.org/?p=reactos.git;a=commitdiff;h=d519b11a286819d9d00e98...
commit d519b11a286819d9d00e986ed07778a17790f7ed Author: Katayama Hirofumi MZ katayama.hirofumi.mz@gmail.com AuthorDate: Mon Aug 8 21:23:49 2022 +0900 Commit: GitHub noreply@github.com CommitDate: Mon Aug 8 21:23:49 2022 +0900
[NTUSER] Security: Follow-up of #4595 (#4598)
Improve security. CORE-11700 --- win32ss/user/ntuser/kbdlayout.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/win32ss/user/ntuser/kbdlayout.c b/win32ss/user/ntuser/kbdlayout.c index a91a641e994..09e0f677f38 100644 --- a/win32ss/user/ntuser/kbdlayout.c +++ b/win32ss/user/ntuser/kbdlayout.c @@ -654,7 +654,8 @@ NtUserGetKeyboardLayoutName( BOOL bRet = FALSE; PKL pKl; PTHREADINFO pti; - UNICODE_STRING ustrTemp; + UNICODE_STRING ustrNameSafe; + NTSTATUS Status;
UserEnterShared();
@@ -667,24 +668,32 @@ NtUserGetKeyboardLayoutName( _SEH2_TRY { ProbeForWriteUnicodeString(pustrName); - ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1); + ustrNameSafe = *pustrName; + + ProbeForWrite(ustrNameSafe.Buffer, ustrNameSafe.MaximumLength, 1);
if (IS_IME_HKL(pKl->hkl)) { - RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, pustrName); + Status = RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, &ustrNameSafe); } else { - if (pustrName->MaximumLength < KL_NAMELENGTH * sizeof(WCHAR)) + if (ustrNameSafe.MaximumLength < KL_NAMELENGTH * sizeof(WCHAR)) { EngSetLastError(ERROR_INVALID_PARAMETER); goto cleanup; } - RtlInitUnicodeString(&ustrTemp, pKl->spkf->awchKF); /* FIXME: Do not use awchKF */ - RtlCopyUnicodeString(pustrName, &ustrTemp); + + /* FIXME: Do not use awchKF */ + ustrNameSafe.Length = 0; + Status = RtlAppendUnicodeToString(&ustrNameSafe, pKl->spkf->awchKF); }
- bRet = TRUE; + if (NT_SUCCESS(Status)) + { + *pustrName = ustrNameSafe; + bRet = TRUE; + } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {