[hbelusca] 60561: [CSRSRV]: In CsrCaptureArguments, be sure that the number of captured pointers is at most equal to MAXUSHORT (and not the total length of the captured buffer). - Ros-diffs

6 Oct 2013

Author: hbelusca
Date: Sun Oct  6 14:20:18 2013
New Revision: 60561
URL: http://svn.reactos.org/svn/reactos?rev=60561&view=rev
Log:
[CSRSRV]: In CsrCaptureArguments, be sure that the number of captured pointers is at most equal to MAXUSHORT (and not the total length of the captured buffer).
Modified:
    trunk/reactos/subsystems/win32/csrsrv/api.c
Modified: trunk/reactos/subsystems/win32/csrsrv/api.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/csrsrv/api...
==============================================================================

--- trunk/reactos/subsystems/win32/csrsrv/api.c	[iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/csrsrv/api.c	[iso-8859-1] Sun Oct  6 14:20:18 2013
@@ -1153,7 +1153,7 @@
         /* Check if the Length is valid */
         if ((FIELD_OFFSET(CSR_CAPTURE_BUFFER, PointerOffsetsArray) +
                 (LocalCaptureBuffer->PointerCount * sizeof(PVOID)) > Length) ||
-            (Length > MAXWORD))
+            (LocalCaptureBuffer->PointerCount > MAXUSHORT))
         {
             /* Return failure */
             DPRINT1("*** CSRSS: CaptureBuffer %p has bad length\n", LocalCaptureBuffer);

    