[rharabien] 51222: [ADVAPI32] * Fix bug in RegQueryValueExA, which causes buffer overflow * Fixes systeminfo in ReactOS See issue #6050 for more details.
Author: rharabien Date: Fri Apr 1 22:10:52 2011 New Revision: 51222
URL: http://svn.reactos.org/svn/reactos?rev=51222&view=rev Log: [ADVAPI32] * Fix bug in RegQueryValueExA, which causes buffer overflow * Fixes systeminfo in ReactOS See issue #6050 for more details.
Modified: trunk/reactos/dll/win32/advapi32/reg/reg.c
Modified: trunk/reactos/dll/win32/advapi32/reg/reg.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/advapi32/reg/reg.... ============================================================================== --- trunk/reactos/dll/win32/advapi32/reg/reg.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/advapi32/reg/reg.c [iso-8859-1] Fri Apr 1 22:10:52 2011 @@ -3988,7 +3988,7 @@ LPDWORD lpcbData) { UNICODE_STRING ValueName; - UNICODE_STRING ValueData; + LPWSTR lpValueBuffer; LONG ErrorCode; DWORD Length; DWORD Type; @@ -4003,39 +4003,42 @@ return ERROR_INVALID_PARAMETER; }
+ Length = (lpcbData == NULL || lpData == NULL) ? 0 : *lpcbData * sizeof(WCHAR); + if (lpData) { - ValueData.Length = 0; - ValueData.MaximumLength = (*lpcbData + 1) * sizeof(WCHAR); - ValueData.Buffer = RtlAllocateHeap(ProcessHeap, - 0, - ValueData.MaximumLength); - if (!ValueData.Buffer) + lpValueBuffer = RtlAllocateHeap(ProcessHeap, + 0, + Length + sizeof(WCHAR)); + if (!lpValueBuffer) { return ERROR_OUTOFMEMORY; } } else { - ValueData.Buffer = NULL; - ValueData.Length = 0; - ValueData.MaximumLength = 0; + lpValueBuffer = NULL;
if (lpcbData) *lpcbData = 0; }
- RtlCreateUnicodeStringFromAsciiz(&ValueName, - (LPSTR)lpValueName); - - Length = (lpcbData == NULL) ? 0 : *lpcbData * sizeof(WCHAR); + if(!RtlCreateUnicodeStringFromAsciiz(&ValueName, + (LPSTR)lpValueName)) + { + ERR("RtlCreateUnicodeStringFromAsciiz failed!\n"); + ErrorCode = ERROR_OUTOFMEMORY; + goto cleanup; + } + ErrorCode = RegQueryValueExW(hKey, ValueName.Buffer, lpReserved, &Type, - (lpData == NULL) ? NULL : (LPBYTE)ValueData.Buffer, + (LPBYTE)lpValueBuffer, &Length); TRACE("ErrorCode %lu\n", ErrorCode); + RtlFreeUnicodeString(&ValueName);
if (ErrorCode == ERROR_SUCCESS || @@ -4044,9 +4047,9 @@
if (is_string(Type)) { - if (ErrorCode == ERROR_SUCCESS && ValueData.Buffer != NULL) + if (ErrorCode == ERROR_SUCCESS && lpValueBuffer != NULL) { - Status = RtlUnicodeToMultiByteN((PCHAR)lpData, *lpcbData, &Index, (PWCHAR)ValueData.Buffer, Length); + Status = RtlUnicodeToMultiByteN((PCHAR)lpData, *lpcbData, &Index, (PWCHAR)lpValueBuffer, Length); if (NT_SUCCESS(Status)) { PCHAR szData = (PCHAR)lpData; @@ -4063,7 +4066,7 @@
Length = Length / sizeof(WCHAR); } - else if (ErrorCode == ERROR_SUCCESS && ValueData.Buffer != NULL) + else if (ErrorCode == ERROR_SUCCESS && lpValueBuffer != NULL) { if (*lpcbData < Length) { @@ -4071,7 +4074,7 @@ } else { - RtlMoveMemory(lpData, ValueData.Buffer, Length); + RtlMoveMemory(lpData, lpValueBuffer, Length); } }
@@ -4086,9 +4089,10 @@ *lpType = Type; }
- if (ValueData.Buffer != NULL) - { - RtlFreeHeap(ProcessHeap, 0, ValueData.Buffer); +cleanup: + if (lpValueBuffer != NULL) + { + RtlFreeHeap(ProcessHeap, 0, lpValueBuffer); }
return ErrorCode;
-
rharabien@svn.reactos.org