RtlCaptureUnicodeString should also check the buffers that the
UNICODE_STRING structure points to...
Modified: trunk/reactos/ntoskrnl/rtl/capture.c
_____
Modified: trunk/reactos/ntoskrnl/rtl/capture.c
--- trunk/reactos/ntoskrnl/rtl/capture.c 2005-01-22 18:08:28 UTC
(rev 13218)
+++ trunk/reactos/ntoskrnl/rtl/capture.c 2005-01-22 20:53:14 UTC
(rev 13219)
@@ -58,6 +58,12 @@
sizeof(UNICODE_STRING),
sizeof(ULONG));
Src = *UnsafeSrc;
+ if(Src.Length > 0)
+ {
+ ProbeForRead(Src.Buffer,
+ Src.Length,
+ sizeof(WCHAR));
+ }
}
_SEH_HANDLE
{
@@ -86,20 +92,19 @@
* Initialize the destination string.
*/
Dest->Length = Src.Length;
- Dest->MaximumLength = Src.Length + sizeof(WCHAR);
- Dest->Buffer = ExAllocatePool(PoolType, Dest->MaximumLength);
- if (Dest->Buffer == NULL)
- {
- Dest->Length = Dest->MaximumLength = 0;
- Dest->Buffer = NULL;
- return STATUS_INSUFFICIENT_RESOURCES;
- }
-
- /*
- * Copy the source string to kernel space.
- */
if(Src.Length > 0)
{
+ Dest->MaximumLength = Src.Length + sizeof(WCHAR);
+ Dest->Buffer = ExAllocatePool(PoolType, Dest->MaximumLength);
+ if (Dest->Buffer == NULL)
+ {
+ Dest->Length = Dest->MaximumLength = 0;
+ Dest->Buffer = NULL;
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+ /*
+ * Copy the source string to kernel space.
+ */
_SEH_TRY
{
RtlCopyMemory(Dest->Buffer, Src.Buffer, Src.Length);
@@ -111,6 +116,11 @@
}
_SEH_END;
}
+ else
+ {
+ Dest->MaximumLength = 0;
+ Dest->Buffer = NULL;
+ }
return Status;
}
Show replies by date