[ros-diffs] [tfaber] 74403: [USER32] Fix heap corruption in EnumDisplaySettingsExA/W: - Do not overwrite the user-provided buffer size in dmDriverExtra - Fix broken pointer arithmetic CORE-13097

24 Apr 2017

Author: tfaber
Date: Mon Apr 24 15:04:00 2017
New Revision: 74403
URL: http://svn.reactos.org/svn/reactos?rev=74403&view=rev
Log:
[USER32]
Fix heap corruption in EnumDisplaySettingsExA/W:
- Do not overwrite the user-provided buffer size in dmDriverExtra
- Fix broken pointer arithmetic
CORE-13097
Modified:
    trunk/reactos/win32ss/user/user32/misc/display.c
Modified: trunk/reactos/win32ss/user/user32/misc/display.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/user32/misc/di...
==============================================================================

--- trunk/reactos/win32ss/user/user32/misc/display.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/user32/misc/display.c	[iso-8859-1] Mon Apr 24 15:04:00 2017
@@ -238,7 +238,6 @@
         COPYS(dmDeviceName, CCHDEVICENAME);
         COPYN(dmSpecVersion);
         COPYN(dmDriverVersion);
-        COPYN(dmDriverExtra);
         COPYN(dmFields);
         COPYN(dmPosition.x);
         COPYN(dmPosition.y);
@@ -288,7 +287,9 @@
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
/* If the size of source structure is less, than used, we clean unsupported flags */
@@ -363,14 +364,16 @@
     Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode, dwFlags);
     if (NT_SUCCESS(Status))
     {
-        /* Store old structure size */
+        /* Store old structure sizes */
         WORD OldSize = lpDevMode->dmSize;
+        WORD OldDriverExtra = lpDevMode->dmDriverExtra;
/* Copy general data */
         RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize);
-        /* Restore old size */
+        /* Restore old sizes */
         lpDevMode->dmSize = OldSize;
+        lpDevMode->dmDriverExtra = OldDriverExtra;
/* Extra data presented? */
         if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra)
@@ -380,7 +383,9 @@
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
/* If the size of source structure is less, than used, we clean unsupported flags */

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [tfaber] 74403: [USER32] Fix heap corruption in EnumDisplaySettingsExA/W: - Do not overwrite the user-provided buffer size in dmDriverExtra - Fix broken pointer arithmetic CORE-13097