Author: hbelusca Date: Sun Oct 6 14:20:18 2013 New Revision: 60561 URL: http://svn.reactos.org/svn/reactos?rev=60561&view=rev Log: [CSRSRV]: In CsrCaptureArguments, be sure that the number of captured pointers is at most equal to MAXUSHORT (and not the total length of the captured buffer). Modified: trunk/reactos/subsystems/win32/csrsrv/api.c Modified: trunk/reactos/subsystems/win32/csrsrv/api.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/csrsrv/ap… ============================================================================== --- trunk/reactos/subsystems/win32/csrsrv/api.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/csrsrv/api.c [iso-8859-1] Sun Oct 6 14:20:18 2013 @@ -1153,7 +1153,7 @@ /* Check if the Length is valid */ if ((FIELD_OFFSET(CSR_CAPTURE_BUFFER, PointerOffsetsArray) + (LocalCaptureBuffer->PointerCount * sizeof(PVOID)) > Length) || - (Length > MAXWORD)) + (LocalCaptureBuffer->PointerCount > MAXUSHORT)) { /* Return failure */ DPRINT1("*** CSRSS: CaptureBuffer %p has bad length\n", LocalCaptureBuffer);