[fireball] 50912: [KERNEL32] - Fix buffer overwrite in GetModuleFileName(). Spotted by DPH. See issue #5964 for more details. - Ros-diffs

26 Feb 2011

Author: fireball
Date: Sat Feb 26 16:50:20 2011
New Revision: 50912
URL: http://svn.reactos.org/svn/reactos?rev=50912&view=rev
Log:
[KERNEL32]
- Fix buffer overwrite in GetModuleFileName(). Spotted by DPH.
See issue #5964 for more details.
Modified:
    trunk/reactos/dll/win32/kernel32/misc/ldr.c
Modified: trunk/reactos/dll/win32/kernel32/misc/ldr.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/misc/ldr...
==============================================================================

--- trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] Sat Feb 26 16:50:20 2011
@@ -431,10 +431,10 @@
    			                             &Module->FullDllName,
    			                             FALSE);
    			
-			if (nSize < Length)
+			if (Length < nSize)
+				lpFilename[Length] = '\0';
+			else
    			SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
-			else
-				lpFilename[Length] = '\0';
RtlLeaveCriticalSection (Peb->LoaderLock);
    		return Length;
@@ -489,10 +489,10 @@
RtlCopyUnicodeString (&FileName,
    		                      &Module->FullDllName);
-			if (nSize < Length)
+			if (Length < nSize)
+				lpFilename[Length] = L'\0';
+			else
    			SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
-			else
-				lpFilename[Length] = L'\0';
RtlLeaveCriticalSection (Peb->LoaderLock);

    