https://git.reactos.org/?p=reactos.git;a=commitdiff;h=a279b1d2c6cd9a147dab7… commit a279b1d2c6cd9a147dab71fa7e05d55ba7639ada Author: Nguyen Trung Khanh <nguyentrungkhanh97(a)gmail.com> AuthorDate: Sat Jun 20 10:16:56 2020 +0700 Commit: Thomas Faber <thomas.faber(a)reactos.org> CommitDate: Wed Jun 24 09:15:27 2020 +0200 [WIN32K:NTUSER] Zero allocated memory in IntCbAllocateMemory. This avoids disclosing pool contents to user mode when not all members of the respective structure are initialized or when there is padding. In co_IntCallWindowProc, also zero the stack buffer since this can be passed to user mode as well, and contains padding. --- win32ss/user/ntuser/callback.c | 15 ++------------- win32ss/user/rtl/text.c | 1 - 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/win32ss/user/ntuser/callback.c b/win32ss/user/ntuser/callback.c index 7bcc65f5962..25e6eee5dd7 100644 --- a/win32ss/user/ntuser/callback.c +++ b/win32ss/user/ntuser/callback.c @@ -35,6 +35,7 @@ IntCbAllocateMemory(ULONG Size) return NULL; } + RtlZeroMemory(Mem, Size + sizeof(INT_CALLBACK_HEADER)); W32Thread = PsGetCurrentThreadWin32Thread(); ASSERT(W32Thread); @@ -185,10 +186,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName, pLibNameBuffer -= (ULONG_PTR)pArguments; pArguments->strLibraryName.Buffer = (PWCHAR)(pLibNameBuffer); } - else - { - RtlZeroMemory(&pArguments->strLibraryName, sizeof(UNICODE_STRING)); - } if(pstrInitFunc) { @@ -202,10 +199,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName, pInitFuncBuffer -= (ULONG_PTR)pArguments; pArguments->strInitFuncName.Buffer = (PWCHAR)(pInitFuncBuffer); } - else - { - RtlZeroMemory(&pArguments->strInitFuncName, sizeof(UNICODE_STRING)); - } /* Do the callback */ UserLeaveCo(); @@ -294,7 +287,7 @@ co_IntCallWindowProc(WNDPROC Proc, LPARAM lParam, INT lParamBufferSize) { - WINDOWPROC_CALLBACK_ARGUMENTS StackArguments; + WINDOWPROC_CALLBACK_ARGUMENTS StackArguments = { 0 }; PWINDOWPROC_CALLBACK_ARGUMENTS Arguments; NTSTATUS Status; PVOID ResultPointer, pActCtx; @@ -662,7 +655,6 @@ co_IntCallHookProc(INT HookId, Common->offPfn = offPfn; Common->Ansi = Ansi; Common->lParamSize = lParamSize; - RtlZeroMemory(&Common->ModuleName, sizeof(Common->ModuleName)); if (ModuleName->Buffer && ModuleName->Length) { RtlCopyMemory(&Common->ModuleName, ModuleName->Buffer, ModuleName->Length); @@ -929,9 +921,6 @@ co_IntCallLoadMenu( HINSTANCE hModule, } Common = (PLOADMENU_CALLBACK_ARGUMENTS) Argument; - // Help Intersource check and MenuName is now 4 bytes + so zero it. - RtlZeroMemory(Common, ArgumentLength); - Common->hModule = hModule; if (pMenuName->Length) RtlCopyMemory(&Common->MenuName, pMenuName->Buffer, pMenuName->Length); diff --git a/win32ss/user/rtl/text.c b/win32ss/user/rtl/text.c index 0ab3f00ea31..ac12626796b 100644 --- a/win32ss/user/rtl/text.c +++ b/win32ss/user/rtl/text.c @@ -997,7 +997,6 @@ BOOL UserExtTextOutW(HDC hdc, } else { - RtlZeroMemory(&Argument->rect, sizeof(RECT)); Argument->bRect = FALSE; }