Fixed a few length calculation in NtEnumerateValueKey, which has resulted in a overflow, if the given buffer was too small. Modified: trunk/reactos/ntoskrnl/cm/ntfunc.c _____ Modified: trunk/reactos/ntoskrnl/cm/ntfunc.c --- trunk/reactos/ntoskrnl/cm/ntfunc.c 2005-11-14 17:33:38 UTC (rev 19226) +++ trunk/reactos/ntoskrnl/cm/ntfunc.c 2005-11-14 17:46:00 UTC (rev 19227) @@ -1135,18 +1135,16 @@ ROUND_UP(ValueFullInformation->DataOffset, sizeof(PVOID)); ValueFullInformation->DataLength = ValueCell->DataSize & REG_DATA_SIZE_MASK; - if (Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]) < - NameSize) + if (Length < ValueFullInformation->DataOffset) { NameSize = Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]); DataSize = 0; Status = STATUS_BUFFER_OVERFLOW; CHECKPOINT; } - else if (ROUND_UP(Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, - Name[0]) - NameSize, sizeof(PVOID)) < DataSize) + else if (Length - ValueFullInformation->DataOffset < DataSize) { - DataSize = ROUND_UP(Length - FIELD_OFFSET(KEY_VALUE_FULL_INFORMATION, Name[0]) - NameSize, sizeof(PVOID)); + DataSize = Length - ValueFullInformation->DataOffset; Status = STATUS_BUFFER_OVERFLOW; CHECKPOINT; }