Author: aandrejevic Date: Wed Apr 22 12:13:14 2015 New Revision: 67347 URL: http://svn.reactos.org/svn/reactos?rev=67347&view=rev Log: [NTVDM] Avoid array indexing with invalid indexes, always. Modified: trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/emsdrv.c trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/himem.c Modified: trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/emsdrv.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/mvdm/ntvdm/dos/… ============================================================================== --- trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/emsdrv.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/emsdrv.c [iso-8859-1] Wed Apr 22 12:13:14 2015 @@ -35,12 +35,18 @@ /* PRIVATE FUNCTIONS **********************************************************/ +static PEMS_HANDLE GetHandleRecord(USHORT Handle) +{ + if (Handle >= EMS_MAX_HANDLES) return NULL; + return &HandleTable[Handle]; +} + static USHORT EmsFree(USHORT Handle) { PLIST_ENTRY Entry; - PEMS_HANDLE HandleEntry = &HandleTable[Handle]; - - if (Handle >= EMS_MAX_HANDLES || !HandleEntry->Allocated) + PEMS_HANDLE HandleEntry = GetHandleRecord(Handle); + + if (HandleEntry == NULL || !HandleEntry->Allocated) { return EMS_STATUS_INVALID_HANDLE; } @@ -131,7 +137,7 @@ static USHORT EmsMap(USHORT Handle, UCHAR PhysicalPage, USHORT LogicalPage) { PEMS_PAGE PageEntry; - PEMS_HANDLE HandleEntry = &HandleTable[Handle]; + PEMS_HANDLE HandleEntry = GetHandleRecord(Handle); if (PhysicalPage >= EMS_PHYSICAL_PAGES) return EMS_STATUS_INV_PHYSICAL_PAGE; if (LogicalPage == 0xFFFF) @@ -141,7 +147,10 @@ return EMS_STATUS_OK; } - if (Handle >= EMS_MAX_HANDLES || !HandleEntry->Allocated) return EMS_STATUS_INVALID_HANDLE; + if (HandleEntry == NULL || !HandleEntry->Allocated) + { + return EMS_STATUS_INVALID_HANDLE; + } PageEntry = GetLogicalPage(HandleEntry, LogicalPage); if (!PageEntry) return EMS_STATUS_INV_LOGICAL_PAGE; @@ -224,9 +233,9 @@ if (Data->SourceType) { /* Expanded memory */ - HandleEntry = &HandleTable[Data->SourceHandle]; - - if (Data->SourceHandle >= EMS_MAX_HANDLES || !HandleEntry->Allocated) + HandleEntry = GetHandleRecord(Data->SourceHandle); + + if (HandleEntry == NULL || !HandleEntry->Allocated) { setAL(EMS_STATUS_INVALID_HANDLE); break; @@ -253,9 +262,9 @@ if (Data->DestType) { /* Expanded memory */ - HandleEntry = &HandleTable[Data->DestHandle]; - - if (Data->SourceHandle >= EMS_MAX_HANDLES || !HandleEntry->Allocated) + HandleEntry = GetHandleRecord(Data->DestHandle); + + if (HandleEntry == NULL || !HandleEntry->Allocated) { setAL(EMS_STATUS_INVALID_HANDLE); break; Modified: trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/himem.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/mvdm/ntvdm/dos/… ============================================================================== --- trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/himem.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/mvdm/ntvdm/dos/dos32krnl/himem.c [iso-8859-1] Wed Apr 22 12:13:14 2015 @@ -46,9 +46,10 @@ static inline PXMS_HANDLE GetHandleRecord(WORD Handle) { - PXMS_HANDLE Entry = &HandleTable[Handle - 1]; + PXMS_HANDLE Entry; if (Handle == 0 || Handle >= XMS_MAX_HANDLES) return NULL; + Entry = &HandleTable[Handle - 1]; return Entry->Size ? Entry : NULL; }