Author: hbelusca Date: Sat Jan 26 19:07:59 2013 New Revision: 58229

URL: http://svn.reactos.org/svn/reactos?rev=58229&view=rev Log: [KERNEL32] Clean-up IntReadConsoleOutputCode a little bit.

[CONSRV] Fix a buffer overflow in SrvReadConsoleOutputString, which was translated sometimes into heap corruption and assert, triggered when freeing a remote captured buffer in csrsrv, when executing kernel32_winetest console, just during a call to ReadConsoleOutputCharacterA. Nevertheless I still keep the culprit code (commented-out now) because it might be useful in the future.

Modified: branches/ros-csrss/dll/win32/kernel32/client/console/readwrite.c branches/ros-csrss/win32ss/user/consrv/conoutput.c

Modified: branches/ros-csrss/dll/win32/kernel32/client/console/readwrite.c URL: http://svn.reactos.org/svn/reactos/branches/ros-csrss/dll/win32/kernel32/cli... ============================================================================== --- branches/ros-csrss/dll/win32/kernel32/client/console/readwrite.c [iso-8859-1] (original) +++ branches/ros-csrss/dll/win32/kernel32/client/console/readwrite.c [iso-8859-1] Sat Jan 26 19:07:59 2013 @@ -351,33 +351,26 @@ ReadOutputCodeRequest->CodeType = CodeType; ReadOutputCodeRequest->ReadCoord = dwReadCoord;

- // while (nLength > 0) - { - ReadOutputCodeRequest->NumCodesToRead = nLength; - // SizeBytes = ReadOutputCodeRequest->NumCodesToRead * CodeSize; - - Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage, - CaptureBuffer, - CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString), - sizeof(CONSOLE_READOUTPUTCODE)); - if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status)) - { - BaseSetLastNTError(Status); - CsrFreeCaptureBuffer(CaptureBuffer); - return FALSE; - } - - BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize; - memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead); - // pCode = (PVOID)((ULONG_PTR)pCode + /*(ULONG_PTR)*/BytesRead); - // nLength -= ReadOutputCodeRequest->CodesRead; - // CodesRead += ReadOutputCodeRequest->CodesRead; - - ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord; - } + ReadOutputCodeRequest->NumCodesToRead = nLength; + + Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage, + CaptureBuffer, + CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString), + sizeof(CONSOLE_READOUTPUTCODE)); + if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status)) + { + BaseSetLastNTError(Status); + CsrFreeCaptureBuffer(CaptureBuffer); + return FALSE; + } + + BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize; + memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead); + + ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord;

if (lpNumberOfCodesRead != NULL) - *lpNumberOfCodesRead = /*CodesRead;*/ ReadOutputCodeRequest->CodesRead; + *lpNumberOfCodesRead = ReadOutputCodeRequest->CodesRead;

CsrFreeCaptureBuffer(CaptureBuffer);

Modified: branches/ros-csrss/win32ss/user/consrv/conoutput.c URL: http://svn.reactos.org/svn/reactos/branches/ros-csrss/win32ss/user/consrv/co... ============================================================================== --- branches/ros-csrss/win32ss/user/consrv/conoutput.c [iso-8859-1] (original) +++ branches/ros-csrss/win32ss/user/consrv/conoutput.c [iso-8859-1] Sat Jan 26 19:07:59 2013 @@ -862,20 +862,20 @@ } }

- switch (CodeType) - { - case CODE_UNICODE: - *(PWCHAR)ReadBuffer = 0; - break; - - case CODE_ASCII: - *(PCHAR)ReadBuffer = 0; - break; - - case CODE_ATTRIBUTE: - *(PWORD)ReadBuffer = 0; - break; - } + // switch (CodeType) + // { + // case CODE_UNICODE: + // *(PWCHAR)ReadBuffer = 0; + // break; + + // case CODE_ASCII: + // *(PCHAR)ReadBuffer = 0; + // break; + + // case CODE_ATTRIBUTE: + // *(PWORD)ReadBuffer = 0; + // break; + // }

ReadOutputCodeRequest->EndCoord.X = Xpos; ReadOutputCodeRequest->EndCoord.Y = (Ypos - Buff->VirtualY + Buff->MaxY) % Buff->MaxY;