https://git.reactos.org/?p=reactos.git;a=commitdiff;h=15a3ca08b045941efdb49… commit 15a3ca08b045941efdb49f15ec71beb41eb777f2 Author: Pierre Schweitzer &lt;pierre(a)reactos.org&gt; AuthorDate: Fri Sep 21 08:31:05 2018 +0200 Commit: Pierre Schweitzer &lt;pierre(a)reactos.org&gt; CommitDate: Fri Sep 21 08:37:20 2018 +0200 [NTOSKRNL] Avoid integer overflow when computing VACB read/write size This could be triggered when attempting to read/write to really big files. It was causing an attempt to read 0 bytes in Cc, leading to asserts failure in the kernel (and corrupted file). CORE-15067 --- ntoskrnl/cc/copy.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/ntoskrnl/cc/copy.c b/ntoskrnl/cc/copy.c index a46ed96640..78c6553d8a 100644 --- a/ntoskrnl/cc/copy.c +++ b/ntoskrnl/cc/copy.c @@ -86,12 +86,14 @@ CcReadVirtualAddress ( NTSTATUS Status; IO_STATUS_BLOCK IoStatus; KEVENT Event; + ULARGE_INTEGER LargeSize; - Size = (ULONG)(Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart); - if (Size > VACB_MAPPING_GRANULARITY) + LargeSize.QuadPart = Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart; + if (LargeSize.QuadPart > VACB_MAPPING_GRANULARITY) { - Size = VACB_MAPPING_GRANULARITY; + LargeSize.QuadPart = VACB_MAPPING_GRANULARITY; } + Size = LargeSize.LowPart; Pages = BYTES_TO_PAGES(Size); ASSERT(Pages * PAGE_SIZE <= VACB_MAPPING_GRANULARITY); @@ -155,12 +157,14 @@ CcWriteVirtualAddress ( NTSTATUS Status; IO_STATUS_BLOCK IoStatus; KEVENT Event; + ULARGE_INTEGER LargeSize; - Size = (ULONG)(Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart); - if (Size > VACB_MAPPING_GRANULARITY) + LargeSize.QuadPart = Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart; + if (LargeSize.QuadPart > VACB_MAPPING_GRANULARITY) { - Size = VACB_MAPPING_GRANULARITY; + LargeSize.QuadPart = VACB_MAPPING_GRANULARITY; } + Size = LargeSize.LowPart; // // Nonpaged pool PDEs in ReactOS must actually be synchronized between the // MmGlobalPageDirectory and the real system PDE directory. What a mess...