Author: fireball Date: Thu Oct 13 18:15:50 2011 New Revision: 54116 URL: http://svn.reactos.org/svn/reactos?rev=54116&view=rev Log: [RTL] - Fix two bugs revealed by the newly added test in r54114. * Original length of the passed string should be used when checking for out-of-buffer access in the loop * PathChars should be updated if a DOS device name was found in the given string. See issue #6390 for more details. Modified: trunk/reactos/lib/rtl/path.c Modified: trunk/reactos/lib/rtl/path.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/path.c?rev=54116&a… ============================================================================== --- trunk/reactos/lib/rtl/path.c [iso-8859-1] (original) +++ trunk/reactos/lib/rtl/path.c [iso-8859-1] Thu Oct 13 18:15:50 2011 @@ -48,7 +48,7 @@ UNICODE_STRING PathCopy; PWCHAR Start, End; USHORT PathChars, ColonCount = 0; - USHORT ReturnOffset = 0, ReturnLength; + USHORT ReturnOffset = 0, ReturnLength, OriginalLength; WCHAR c; /* Validate the input */ @@ -77,6 +77,7 @@ /* Make a copy of the string */ PathCopy = *PathString; + OriginalLength = PathString->Length; /* Return if there's no characters */ PathChars = PathCopy.Length / sizeof(WCHAR); @@ -124,16 +125,19 @@ c = *End | ' '; // ' ' == ('z' - 'Z') /* Check if it's a DOS device (LPT, COM, PRN, AUX, or NUL) */ - if ((End < &PathCopy.Buffer[PathCopy.Length / sizeof(WCHAR)]) && + if ((End < &PathCopy.Buffer[OriginalLength / sizeof(WCHAR)]) && ((c == 'l') || (c == 'c') || (c == 'p') || (c == 'a') || (c == 'n'))) { /* Calculate the offset */ ReturnOffset = (PCHAR)End - (PCHAR)PathCopy.Buffer; /* Build the final string */ - PathCopy.Length -= ReturnOffset; - PathCopy.Length -= (ColonCount * sizeof(WCHAR)); + PathCopy.Length = OriginalLength - ReturnOffset - (ColonCount * sizeof(WCHAR)); PathCopy.Buffer = End; + + /* Save new amount of chars in the path */ + PathChars = PathCopy.Length / sizeof(WCHAR); + break; } else