https://git.reactos.org/?p=reactos.git;a=commitdiff;h=998870c5ea85eabdd2b4d… commit 998870c5ea85eabdd2b4df798f86e8de08d8a71b Author: Jérôme Gardou &lt;jerome.gardou(a)reactos.org&gt; AuthorDate: Mon Feb 8 14:33:08 2021 +0100 Commit: Jérôme Gardou &lt;zefklop(a)users.noreply.github.com&gt; CommitDate: Tue Mar 30 22:20:15 2021 +0200 [NTOS:MM] Properly fail for invalid sizes of data section mappings --- ntoskrnl/mm/ARM3/section.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ntoskrnl/mm/ARM3/section.c b/ntoskrnl/mm/ARM3/section.c index 3e6a25b44db..1301267e6b3 100644 --- a/ntoskrnl/mm/ARM3/section.c +++ b/ntoskrnl/mm/ARM3/section.c @@ -1326,25 +1326,26 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea, /* Check if the caller specified the view size */ if (!(*ViewSize)) { + LONGLONG ViewSizeLL; + /* The caller did not, so pick a 64K aligned view size based on the offset */ SectionOffset->LowPart &= ~(_64K - 1); - /* Make sure that we will not overflow */ - if ((Section->SizeOfSection.QuadPart - SectionOffset->QuadPart) > MAXLONG_PTR) + /* Calculate size and make sure this fits */ + if (!NT_SUCCESS(RtlLongLongSub(Section->SizeOfSection.QuadPart, SectionOffset->QuadPart, &ViewSizeLL)) + || !NT_SUCCESS(RtlLongLongToSIZET(ViewSizeLL, ViewSize)) + || (*ViewSize > MAXLONG_PTR)) { MiDereferenceControlArea(ControlArea); return STATUS_INVALID_VIEW_SIZE; } - - *ViewSize = (SIZE_T)(Section->SizeOfSection.QuadPart - SectionOffset->QuadPart); } else { - /* A size was specified, align it to a 64K boundary */ - *ViewSize += SectionOffset->LowPart & (_64K - 1); - - /* Check for overflow or huge value */ - if ((*ViewSize < (SectionOffset->LowPart & (_64K - 1))) || ((*ViewSize) > MAXLONG_PTR)) + /* A size was specified, align it to a 64K boundary + * and check for overflow or huge value. */ + if (!NT_SUCCESS(RtlSIZETAdd(*ViewSize, SectionOffset->LowPart & (_64K - 1), ViewSize)) + || (*ViewSize > MAXLONG_PTR)) { MiDereferenceControlArea(ControlArea); return STATUS_INVALID_VIEW_SIZE;