Author: fireball Date: Sat Feb 26 16:50:20 2011 New Revision: 50912 URL: http://svn.reactos.org/svn/reactos?rev=50912&view=rev Log: [KERNEL32] - Fix buffer overwrite in GetModuleFileName(). Spotted by DPH. See issue #5964 for more details. Modified: trunk/reactos/dll/win32/kernel32/misc/ldr.c Modified: trunk/reactos/dll/win32/kernel32/misc/ldr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/misc/ld… ============================================================================== --- trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] Sat Feb 26 16:50:20 2011 @@ -431,10 +431,10 @@ &Module->FullDllName, FALSE); - if (nSize < Length) + if (Length < nSize) + lpFilename[Length] = '\0'; + else SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL); - else - lpFilename[Length] = '\0'; RtlLeaveCriticalSection (Peb->LoaderLock); return Length; @@ -489,10 +489,10 @@ RtlCopyUnicodeString (&FileName, &Module->FullDllName); - if (nSize < Length) + if (Length < nSize) + lpFilename[Length] = L'\0'; + else SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL); - else - lpFilename[Length] = L'\0'; RtlLeaveCriticalSection (Peb->LoaderLock);