[reactos] 01/01: [WIN32K:NTUSER] Zero allocated memory in IntCbAllocateMemory. - Ros-diffs

24 Jun 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a279b1d2c6cd9a147dab71...
commit a279b1d2c6cd9a147dab71fa7e05d55ba7639ada
Author:     Nguyen Trung Khanh nguyentrungkhanh97@gmail.com
AuthorDate: Sat Jun 20 10:16:56 2020 +0700
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Wed Jun 24 09:15:27 2020 +0200
[WIN32K:NTUSER] Zero allocated memory in IntCbAllocateMemory.
This avoids disclosing pool contents to user mode when not all members
    of the respective structure are initialized or when there is padding.
In co_IntCallWindowProc, also zero the stack buffer since this can
    be passed to user mode as well, and contains padding.
---
 win32ss/user/ntuser/callback.c | 15 ++-------------
 win32ss/user/rtl/text.c        |  1 -
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/win32ss/user/ntuser/callback.c b/win32ss/user/ntuser/callback.c
index 7bcc65f5962..25e6eee5dd7 100644
--- a/win32ss/user/ntuser/callback.c
+++ b/win32ss/user/ntuser/callback.c
@@ -35,6 +35,7 @@ IntCbAllocateMemory(ULONG Size)
       return NULL;
    }
+   RtlZeroMemory(Mem, Size + sizeof(INT_CALLBACK_HEADER));
    W32Thread = PsGetCurrentThreadWin32Thread();
    ASSERT(W32Thread);
@@ -185,10 +186,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
        pLibNameBuffer -= (ULONG_PTR)pArguments;
        pArguments->strLibraryName.Buffer = (PWCHAR)(pLibNameBuffer);
    }
-   else
-   {
-       RtlZeroMemory(&pArguments->strLibraryName, sizeof(UNICODE_STRING));
-   }
if(pstrInitFunc)
    {
@@ -202,10 +199,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
        pInitFuncBuffer -= (ULONG_PTR)pArguments;
        pArguments->strInitFuncName.Buffer = (PWCHAR)(pInitFuncBuffer);
    }
-   else
-   {
-       RtlZeroMemory(&pArguments->strInitFuncName, sizeof(UNICODE_STRING));
-   }
/* Do the callback */
    UserLeaveCo();
@@ -294,7 +287,7 @@ co_IntCallWindowProc(WNDPROC Proc,
                      LPARAM lParam,
                      INT lParamBufferSize)
 {
-   WINDOWPROC_CALLBACK_ARGUMENTS StackArguments;
+   WINDOWPROC_CALLBACK_ARGUMENTS StackArguments = { 0 };
    PWINDOWPROC_CALLBACK_ARGUMENTS Arguments;
    NTSTATUS Status;
    PVOID ResultPointer, pActCtx;
@@ -662,7 +655,6 @@ co_IntCallHookProc(INT HookId,
    Common->offPfn = offPfn;
    Common->Ansi = Ansi;
    Common->lParamSize = lParamSize;
-   RtlZeroMemory(&Common->ModuleName, sizeof(Common->ModuleName));
    if (ModuleName->Buffer && ModuleName->Length)
    {
       RtlCopyMemory(&Common->ModuleName, ModuleName->Buffer, ModuleName->Length);
@@ -929,9 +921,6 @@ co_IntCallLoadMenu( HINSTANCE hModule,
    }
    Common = (PLOADMENU_CALLBACK_ARGUMENTS) Argument;
-   // Help Intersource check and MenuName is now 4 bytes + so zero it.
-   RtlZeroMemory(Common, ArgumentLength);
-
    Common->hModule = hModule;
    if (pMenuName->Length)
       RtlCopyMemory(&Common->MenuName, pMenuName->Buffer, pMenuName->Length);
diff --git a/win32ss/user/rtl/text.c b/win32ss/user/rtl/text.c
index 0ab3f00ea31..ac12626796b 100644
--- a/win32ss/user/rtl/text.c
+++ b/win32ss/user/rtl/text.c
@@ -997,7 +997,6 @@ BOOL UserExtTextOutW(HDC hdc,
     }
     else
     {
-        RtlZeroMemory(&Argument->rect, sizeof(RECT));
         Argument->bRect = FALSE;
     }

    