Author: rharabien
Date: Fri Apr 1 22:10:52 2011
New Revision: 51222
URL:
http://svn.reactos.org/svn/reactos?rev=51222&view=rev
Log:
[ADVAPI32]
* Fix bug in RegQueryValueExA, which causes buffer overflow
* Fixes systeminfo in ReactOS
See issue #6050 for more details.
Modified:
trunk/reactos/dll/win32/advapi32/reg/reg.c
Modified: trunk/reactos/dll/win32/advapi32/reg/reg.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/advapi32/reg/reg…
==============================================================================
--- trunk/reactos/dll/win32/advapi32/reg/reg.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/advapi32/reg/reg.c [iso-8859-1] Fri Apr 1 22:10:52 2011
@@ -3988,7 +3988,7 @@
LPDWORD lpcbData)
{
UNICODE_STRING ValueName;
- UNICODE_STRING ValueData;
+ LPWSTR lpValueBuffer;
LONG ErrorCode;
DWORD Length;
DWORD Type;
@@ -4003,39 +4003,42 @@
return ERROR_INVALID_PARAMETER;
}
+ Length = (lpcbData == NULL || lpData == NULL) ? 0 : *lpcbData * sizeof(WCHAR);
+
if (lpData)
{
- ValueData.Length = 0;
- ValueData.MaximumLength = (*lpcbData + 1) * sizeof(WCHAR);
- ValueData.Buffer = RtlAllocateHeap(ProcessHeap,
- 0,
- ValueData.MaximumLength);
- if (!ValueData.Buffer)
+ lpValueBuffer = RtlAllocateHeap(ProcessHeap,
+ 0,
+ Length + sizeof(WCHAR));
+ if (!lpValueBuffer)
{
return ERROR_OUTOFMEMORY;
}
}
else
{
- ValueData.Buffer = NULL;
- ValueData.Length = 0;
- ValueData.MaximumLength = 0;
+ lpValueBuffer = NULL;
if (lpcbData)
*lpcbData = 0;
}
- RtlCreateUnicodeStringFromAsciiz(&ValueName,
- (LPSTR)lpValueName);
-
- Length = (lpcbData == NULL) ? 0 : *lpcbData * sizeof(WCHAR);
+ if(!RtlCreateUnicodeStringFromAsciiz(&ValueName,
+ (LPSTR)lpValueName))
+ {
+ ERR("RtlCreateUnicodeStringFromAsciiz failed!\n");
+ ErrorCode = ERROR_OUTOFMEMORY;
+ goto cleanup;
+ }
+
ErrorCode = RegQueryValueExW(hKey,
ValueName.Buffer,
lpReserved,
&Type,
- (lpData == NULL) ? NULL : (LPBYTE)ValueData.Buffer,
+ (LPBYTE)lpValueBuffer,
&Length);
TRACE("ErrorCode %lu\n", ErrorCode);
+
RtlFreeUnicodeString(&ValueName);
if (ErrorCode == ERROR_SUCCESS ||
@@ -4044,9 +4047,9 @@
if (is_string(Type))
{
- if (ErrorCode == ERROR_SUCCESS && ValueData.Buffer != NULL)
+ if (ErrorCode == ERROR_SUCCESS && lpValueBuffer != NULL)
{
- Status = RtlUnicodeToMultiByteN((PCHAR)lpData, *lpcbData, &Index,
(PWCHAR)ValueData.Buffer, Length);
+ Status = RtlUnicodeToMultiByteN((PCHAR)lpData, *lpcbData, &Index,
(PWCHAR)lpValueBuffer, Length);
if (NT_SUCCESS(Status))
{
PCHAR szData = (PCHAR)lpData;
@@ -4063,7 +4066,7 @@
Length = Length / sizeof(WCHAR);
}
- else if (ErrorCode == ERROR_SUCCESS && ValueData.Buffer != NULL)
+ else if (ErrorCode == ERROR_SUCCESS && lpValueBuffer != NULL)
{
if (*lpcbData < Length)
{
@@ -4071,7 +4074,7 @@
}
else
{
- RtlMoveMemory(lpData, ValueData.Buffer, Length);
+ RtlMoveMemory(lpData, lpValueBuffer, Length);
}
}
@@ -4086,9 +4089,10 @@
*lpType = Type;
}
- if (ValueData.Buffer != NULL)
- {
- RtlFreeHeap(ProcessHeap, 0, ValueData.Buffer);
+cleanup:
+ if (lpValueBuffer != NULL)
+ {
+ RtlFreeHeap(ProcessHeap, 0, lpValueBuffer);
}
return ErrorCode;