19 Feb
2015
19 Feb
'15
7:05 p.m.
Author: pschweitzer
Date: Thu Feb 19 19:05:56 2015
New Revision: 66356
URL: http://svn.reactos.org/svn/reactos?rev=66356&view=rev
Log:
[KERNEL32]
Fix heap buffer overflow in case PendingFileRenameOperations already exists.
Spotted by Thomas
Modified:
trunk/reactos/dll/win32/kernel32/client/file/move.c
Modified: trunk/reactos/dll/win32/kernel32/client/file/move.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/client/…
==============================================================================
--- trunk/reactos/dll/win32/kernel32/client/file/move.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/kernel32/client/file/move.c [iso-8859-1] Thu Feb 19 19:05:56
2015
@@ -92,7 +92,7 @@
}
/* Reserve enough to read previous string + to append our with required null chars
*/
- BufferLength = NewPath->Length + ExistingPath->Length + STRING_LENGTH + 3 *
sizeof(WCHAR);
+ BufferLength = NewPath->Length + ExistingPath->Length + STRING_LENGTH + 3 *
sizeof(UNICODE_NULL);
/* Check we didn't overflow */
if (BufferLength < STRING_LENGTH)
{
@@ -122,7 +122,7 @@
/* If buffer was too small, then, reallocate one which is big enough */
StringLength = DataSize;
RtlFreeHeap(RtlGetProcessHeap(), 0, Buffer);
- BufferLength = ExistingPath->Length + StringLength + NewPath->Length + 3 *
sizeof(WCHAR);
+ BufferLength = ExistingPath->Length + StringLength + NewPath->Length + 3 *
sizeof(UNICODE_NULL);
if (BufferLength < StringLength)
{
NtClose(KeyHandle);
@@ -148,9 +148,11 @@
{
PKEY_VALUE_PARTIAL_INFORMATION PartialInfo =
(PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
- /* Get data, our buffer begin and then where we should append data (+ null char)
*/
+ /* Get data, our buffer begin and then where we should append data
+ * (- null char, this is REG_MULTI_SZ, it already includes double termination, we
keep only one)
+ */
BufferBegin = PartialInfo->Data;
- BufferWrite = (PWSTR)((ULONG_PTR)PartialInfo->Data +
PartialInfo->DataLength + sizeof(WCHAR));
+ BufferWrite = (PWSTR)((ULONG_PTR)PartialInfo->Data +
PartialInfo->DataLength - sizeof(UNICODE_NULL));
}
/* First copy existing */