Author: hbelusca Date: Fri Aug 1 19:03:50 2014 New Revision: 63795 URL: http://svn.reactos.org/svn/reactos?rev=63795&view=rev Log: [KERNEL32] Hack buffer protection check for pInputControl and lpBuffer user buffers. Modified: branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c Modified: branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c URL: http://svn.reactos.org/svn/reactos/branches/condrv_restructure/dll/win32/ke… ============================================================================== --- branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c [iso-8859-1] (original) +++ branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c [iso-8859-1] Fri Aug 1 19:03:50 2014 @@ -126,42 +126,53 @@ * "This parameter requires Unicode input by default. * For ANSI mode, set this parameter to NULL." */ - if (bUnicode && pInputControl && - pInputControl->nLength == sizeof(CONSOLE_READCONSOLE_CONTROL)) - { - /* Sanity check */ - if (pInputControl->nInitialChars <= nNumberOfCharsToRead) - { - ReadConsoleRequest->InitialNumBytes = - pInputControl->nInitialChars * sizeof(WCHAR); // CharSize - - if (pInputControl->nInitialChars != 0) + _SEH2_TRY + { + if (bUnicode && pInputControl && + pInputControl->nLength == sizeof(CONSOLE_READCONSOLE_CONTROL)) + { + /* Sanity check */ + if (pInputControl->nInitialChars <= nNumberOfCharsToRead) { - /* - * It is possible here to overwrite the static buffer, in case - * the number of bytes to read was smaller than the static buffer. - * In this case, this means we are continuing a pending read, - * and we do not need in fact the executable name that was - * stored in the static buffer because it was first grabbed when - * we started the first read. - */ - RtlCopyMemory(ReadConsoleRequest->Buffer, - lpBuffer, - ReadConsoleRequest->InitialNumBytes); + ReadConsoleRequest->InitialNumBytes = + pInputControl->nInitialChars * sizeof(WCHAR); // CharSize + + if (pInputControl->nInitialChars != 0) + { + /* + * It is possible here to overwrite the static buffer, in case + * the number of bytes to read was smaller than the static buffer. + * In this case, this means we are continuing a pending read, + * and we do not need in fact the executable name that was + * stored in the static buffer because it was first grabbed when + * we started the first read. + */ + RtlCopyMemory(ReadConsoleRequest->Buffer, + lpBuffer, + ReadConsoleRequest->InitialNumBytes); + } + + ReadConsoleRequest->CtrlWakeupMask = pInputControl->dwCtrlWakeupMask; } - - ReadConsoleRequest->CtrlWakeupMask = pInputControl->dwCtrlWakeupMask; + else + { + // Status = STATUS_INVALID_PARAMETER; + } } else { - // Status = STATUS_INVALID_PARAMETER; - } - } - else - { - /* We are in a situation where pInputControl has no meaning */ - pInputControl = NULL; - } + /* We are in a situation where pInputControl has no meaning */ + pInputControl = NULL; + } + } + _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) + { + // HACK + if (CaptureBuffer) CsrFreeCaptureBuffer(CaptureBuffer); + SetLastError(ERROR_INVALID_ACCESS); + return FALSE; + } + _SEH2_END; /* Check for sanity */ /*