[janderwald] 47763: [WDMAUD_KERNEL] - Fix possible buffer overflow [MMIXER] - Add sanity checks
12 Jun
2010
12 Jun
'10
10:21 a.m.
Author: janderwald
Date: Sat Jun 12 10:21:03 2010
New Revision: 47763
URL: http://svn.reactos.org/svn/reactos?rev=47763&view=rev
Log:
[WDMAUD_KERNEL]
- Fix possible buffer overflow
[MMIXER]
- Add sanity checks
Modified:
trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c
trunk/reactos/lib/drivers/sound/mmixer/controls.c
trunk/reactos/lib/drivers/sound/mmixer/filter.c
trunk/reactos/lib/drivers/sound/mmixer/mixer.c
trunk/reactos/lib/drivers/sound/mmixer/priv.h
trunk/reactos/lib/drivers/sound/mmixer/sup.c
trunk/reactos/lib/drivers/sound/mmixer/wave.c
Modified: trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/wdm/audio/legacy/w…
==============================================================================
--- trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/wdm/audio/legacy/wdmaud/deviface.c [iso-8859-1] Sat Jun 12
10:21:03 2010
@@ -122,18 +122,32 @@
}
else
{
+ Entry = (SYSAUDIO_ENTRY*)AllocateItem(NonPagedPool, sizeof(SYSAUDIO_ENTRY));
+ if (!Entry)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+
Length = wcslen(DeviceName.Buffer) + 1;
- Entry = (SYSAUDIO_ENTRY*)AllocateItem(NonPagedPool, sizeof(SYSAUDIO_ENTRY) +
Length * sizeof(WCHAR));
- if (!Entry)
- {
+ Entry->SymbolicLink.Length = 0;
+ Entry->SymbolicLink.MaximumLength = Length * sizeof(WCHAR);
+ Entry->SymbolicLink.Buffer = AllocateItem(NonPagedPool,
Entry->SymbolicLink.MaximumLength);
+
+ if (!Entry->SymbolicLink.Buffer)
+ {
+ FreeItem(Entry);
return STATUS_INSUFFICIENT_RESOURCES;
}
- Entry->SymbolicLink.Length = Entry->SymbolicLink.MaximumLength = Length
* sizeof(WCHAR);
- Entry->SymbolicLink.MaximumLength += sizeof(WCHAR);
- Entry->SymbolicLink.Buffer = (LPWSTR) (Entry + 1);
-
- wcscpy(Entry->SymbolicLink.Buffer, DeviceName.Buffer);
+ Status = RtlAppendUnicodeStringToString(&Entry->SymbolicLink,
&DeviceName);
+
+ if (!NT_SUCCESS(Status))
+ {
+ FreeItem(Entry->SymbolicLink.Buffer);
+ FreeItem(Entry);
+ return Status;
+ }
InsertTailList(&DeviceExtension->SysAudioDeviceList,
&Entry->Entry);
DeviceExtension->NumSysAudioDevices++;
Modified: trunk/reactos/lib/drivers/sound/mmixer/controls.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/c…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/controls.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/controls.c [iso-8859-1] Sat Jun 12 10:21:03
2010
@@ -15,6 +15,7 @@
IN PKSMULTIPLE_ITEM NodeTypes,
IN ULONG bUpDirection,
IN ULONG NodeConnectionIndex,
+ IN ULONG PinCount,
OUT PULONG Pins)
{
PKSTOPOLOGY_CONNECTION Connection;
@@ -41,6 +42,9 @@
//DPRINT("GetTargetPinsByNodeIndex FOUND Target Pin %u Parsed %u\n",
PinId, Pins[PinId]);
+ // sanity check
+ ASSERT(PinId < PinCount);
+
/* mark pin index as a target pin */
Pins[PinId] = TRUE;
return MM_STATUS_SUCCESS;
@@ -61,7 +65,7 @@
for(Index = 0; Index < NodeConnectionCount; Index++)
{
// iterate recursively into the nodes
- Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], Pins);
+ Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], PinCount, Pins);
ASSERT(Status == MM_STATUS_SUCCESS);
}
// free node connection indexes
@@ -597,6 +601,8 @@
DestinationLine->Line.Target.wMid = MixerInfo->MixCaps.wMid;
DestinationLine->Line.Target.wPid = MixerInfo->MixCaps.wPid;
DestinationLine->Line.Target.vDriverVersion =
MixerInfo->MixCaps.vDriverVersion;
+
+ ASSERT(MixerInfo->MixCaps.szPname[MAXPNAMELEN-1] == 0);
wcscpy(DestinationLine->Line.Target.szPname, MixerInfo->MixCaps.szPname);
// initialize extra line
@@ -736,11 +742,11 @@
return Status;
}
- /* there should be no split in the bride pin */
+ /* there should be no split in the bridge pin */
ASSERT(PinConnectionIndexCount == 1);
/* find all target pins of this connection */
- Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections,
NodeTypes, FALSE, PinConnectionIndex[0], PinsRef);
+ Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext, NodeConnections,
NodeTypes, FALSE, PinConnectionIndex[0], PinsRefCount, PinsRef);
if (Status != MM_STATUS_SUCCESS)
{
MixerContext->Free(PinsRef);
@@ -779,7 +785,7 @@
}
// now get all connected source pins
- Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, TRUE, MixerControls[0], PinsSrcRef);
+ Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, TRUE, MixerControls[0], PinsRefCount, PinsSrcRef);
if (Status != MM_STATUS_SUCCESS)
{
// failed */
@@ -857,6 +863,9 @@
InitializeListHead(&MixerInfo->LineList);
InitializeListHead(&MixerInfo->EventList);
+ // sanity check
+ ASSERT(PinCount);
+
// now allocate an array which will receive the indices of the pin
// which has a ADC / DAC nodetype in its path
Pins = (PULONG)MixerContext->Alloc(PinCount * sizeof(ULONG));
Modified: trunk/reactos/lib/drivers/sound/mmixer/filter.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/f…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/filter.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/filter.c [iso-8859-1] Sat Jun 12 10:21:03 2010
@@ -57,6 +57,9 @@
if (Status != MM_STATUS_MORE_ENTRIES)
return Status;
+ //sanity check
+ ASSERT(BytesReturned);
+
// allocate an result buffer
MultipleItem = (PKSMULTIPLE_ITEM)MixerContext->Alloc(BytesReturned);
Modified: trunk/reactos/lib/drivers/sound/mmixer/mixer.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/m…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/mixer.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/mixer.c [iso-8859-1] Sat Jun 12 10:21:03 2010
@@ -65,6 +65,8 @@
MixerCaps->vDriverVersion = MixerInfo->MixCaps.vDriverVersion;
MixerCaps->fdwSupport = MixerInfo->MixCaps.fdwSupport;
MixerCaps->cDestinations = MixerInfo->MixCaps.cDestinations;
+
+ ASSERT(MixerInfo->MixCaps.szPname[MAXPNAMELEN-1] == 0);
wcscpy(MixerCaps->szPname, MixerInfo->MixCaps.szPname);
return MM_STATUS_SUCCESS;
Modified: trunk/reactos/lib/drivers/sound/mmixer/priv.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/p…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/priv.h [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/priv.h [iso-8859-1] Sat Jun 12 10:21:03 2010
@@ -178,6 +178,7 @@
IN PKSMULTIPLE_ITEM NodeTypes,
IN ULONG bUpDirection,
IN ULONG NodeConnectionIndex,
+ IN ULONG PinCount,
OUT PULONG Pins);
MIXER_STATUS
Modified: trunk/reactos/lib/drivers/sound/mmixer/sup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/s…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/sup.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/sup.c [iso-8859-1] Sat Jun 12 10:21:03 2010
@@ -358,7 +358,7 @@
{
for(Index = 0; Index < NodeConnectionCount; Index++)
{
- Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], Pins);
+ Status = MMixerGetTargetPinsByNodeConnectionIndex(MixerContext,
NodeConnections, NodeTypes, bUpDirection, NodeConnection[Index], PinCount, Pins);
ASSERT(Status == STATUS_SUCCESS);
}
MixerContext->Free((PVOID)NodeConnection);
@@ -638,6 +638,7 @@
Status = MixerContext->QueryKeyValue(hKey, L"FriendlyName",
(PVOID*)&Name, &Length, &Type);
if (Status == MM_STATUS_SUCCESS)
{
+ ASSERT(Length < MAXPNAMELEN);
wcscpy(MixerInfo->MixCaps.szPname, Name);
MixerContext->Free(Name);
return Status;
@@ -650,6 +651,7 @@
Status = MixerContext->QueryKeyValue(hKey, L"FriendlyName",
(PVOID*)&Name, &Length, &Type);
if (Status == MM_STATUS_SUCCESS)
{
+ ASSERT(Length < MAXPNAMELEN);
wcscpy(MixerInfo->MixCaps.szPname, Name);
MixerContext->Free(Name);
}
Modified: trunk/reactos/lib/drivers/sound/mmixer/wave.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/drivers/sound/mmixer/w…
==============================================================================
--- trunk/reactos/lib/drivers/sound/mmixer/wave.c [iso-8859-1] (original)
+++ trunk/reactos/lib/drivers/sound/mmixer/wave.c [iso-8859-1] Sat Jun 12 10:21:03 2010
@@ -360,6 +360,8 @@
WaveInfo->DeviceId = MixerData->DeviceId;
WaveInfo->PinId = PinId;
+ // sanity check
+ ASSERT(wcslen(DeviceName) < MAXPNAMELEN);
/* copy device name */
if (bWaveIn)
@@ -419,9 +421,6 @@
/* free dataranges buffer */
MixerContext->Free(MultipleItem);
-
-
-
if (bWaveIn)
{
5270
days inactive
5270
days old
0 comments
1 participants
participants (1)
-
janderwald@svn.reactos.org