Author: sir_richard Date: Thu Mar 11 18:46:15 2010 New Revision: 46103
URL: http://svn.reactos.org/svn/reactos?rev=46103&view=rev Log: [WIN32K]: Stop memory corruption when InstalledDisplayDrivers has more than one driver in the list. Note that driver loading is inherently broken right now, as the list of drivers is not parsed properly (this breaks eVb's VGA/VBE driver).
Modified: trunk/reactos/subsystems/win32/win32k/objects/device.c
Modified: trunk/reactos/subsystems/win32/win32k/objects/device.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/obj... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/objects/device.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/objects/device.c [iso-8859-1] Thu Mar 11 18:46:15 2010 @@ -59,12 +59,37 @@ return TRUE; }
+ +NTSTATUS +NTAPI +EnumDisplayQueryRoutine(IN PWSTR ValueName, + IN ULONG ValueType, + IN PVOID ValueData, + IN ULONG ValueLength, + IN PVOID Context, + IN PVOID EntryContext) +{ + if ((Context == NULL) && ((ValueType == REG_SZ) || (ValueType == REG_MULTI_SZ))) + { + *(PULONG)EntryContext = ValueLength; + } + else + { + DPRINT1("Value data: %S %d\n", ValueData, ValueLength); + RtlCopyMemory(Context, ValueData, ValueLength); + } + + return STATUS_SUCCESS; +} + static BOOL FASTCALL FindDriverFileNames(PUNICODE_STRING DriverFileNames, ULONG DisplayNumber) { RTL_QUERY_REGISTRY_TABLE QueryTable[2]; UNICODE_STRING RegistryPath; NTSTATUS Status; + PWCHAR DriverNames = NULL; + ULONG Length = 0;
if (! GetRegistryPath(&RegistryPath, DisplayNumber)) { @@ -73,23 +98,40 @@ }
RtlZeroMemory(QueryTable, sizeof(QueryTable)); - QueryTable[0].Flags = RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_DIRECT; + QueryTable[0].Flags = RTL_QUERY_REGISTRY_REQUIRED | RTL_QUERY_REGISTRY_NOEXPAND; QueryTable[0].Name = L"InstalledDisplayDrivers"; - QueryTable[0].EntryContext = DriverFileNames; + QueryTable[0].EntryContext = &Length; + QueryTable[0].QueryRoutine = EnumDisplayQueryRoutine;
Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, RegistryPath.Buffer, QueryTable, NULL, NULL); + // DPRINT1("Status: %lx\n", Status); + if (Length) + { + DriverNames = ExAllocatePool(PagedPool, Length); + // DPRINT1("Length allocated: %d\n", Length); + Status = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, + RegistryPath.Buffer, + QueryTable, + DriverNames, + NULL); + if (!NT_SUCCESS(Status)) DriverNames = NULL; + } + ExFreePoolWithTag(RegistryPath.Buffer, TAG_RTLREGISTRY); if (! NT_SUCCESS(Status)) { DPRINT1("No InstalledDisplayDrivers value in service entry found\n"); return FALSE; } - - DPRINT("DriverFileNames %S\n", DriverFileNames->Buffer); + + RtlInitUnicodeString(DriverFileNames, DriverNames); + DriverFileNames->Length = Length; + DriverFileNames->MaximumLength = Length; + //DPRINT1("DriverFileNames %wZ\n", DriverFileNames);
return TRUE; } @@ -301,7 +343,7 @@ continue; }
- DPRINT("Display driver %S loaded\n", CurrentName); + DPRINT1("Display driver %S loaded\n", CurrentName);
ExFreePoolWithTag(DriverFileNames.Buffer, TAG_RTLREGISTRY);