Author: tkreuzer
Date: Tue Apr 1 13:21:06 2008
New Revision: 32810
URL:
http://svn.reactos.org/svn/reactos?rev=32810&view=rev
Log:
fix handling of unsafe string parameter in NtGdiGetFontResourceInfoInternalW
Modified:
trunk/reactos/subsystems/win32/win32k/objects/text.c
Modified: trunk/reactos/subsystems/win32/win32k/objects/text.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ob…
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/objects/text.c [iso-8859-1] Tue Apr 1 13:21:06
2008
@@ -4358,6 +4358,7 @@
DWORD dwBytes;
UNICODE_STRING SafeFileNames;
BOOL bRet = FALSE;
+ ULONG cbStringSize;
union
{
@@ -4375,13 +4376,26 @@
return FALSE;
}
- /* Check buffers and copy pwszFiles */
+ /* Allocate a safe unicode string buffer */
+ cbStringSize = cwc * sizeof(WCHAR);
+ SafeFileNames.MaximumLength = SafeFileNames.Length = cbStringSize - sizeof(WCHAR);
+ SafeFileNames.Buffer = ExAllocatePoolWithTag(PagedPool,
+ cbStringSize,
+
TAG('R','T','S','U'));
+ if (!SafeFileNames.Buffer)
+ {
+ SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
+ return FALSE;
+ }
+
+ /* Check buffers and copy pwszFiles to safe unicode string */
_SEH_TRY
{
- ProbeForRead(pwszFiles, cwc * sizeof(WCHAR), 1);
- bRet = RtlCreateUnicodeString(&SafeFileNames, pwszFiles);
+ ProbeForRead(pwszFiles, cbStringSize, 1);
ProbeForWrite(pdwBytes, sizeof(DWORD), 1);
ProbeForWrite(pvBuf, cjIn, 1);
+
+ RtlCopyMemory(SafeFileNames.Buffer, pwszFiles, cbStringSize);
}
_SEH_HANDLE
{
@@ -4389,20 +4403,15 @@
}
_SEH_END
- if(!bRet)
- {
- /* Could not create the unicode string, so return instantly */
+ if(!NT_SUCCESS(Status))
+ {
+ SetLastNtError(Status);
+ /* Free the string buffer for the safe filename */
+ ExFreePool(SafeFileNames.Buffer);
return FALSE;
}
- if(!NT_SUCCESS(Status))
- {
- SetLastNtError(Status);
- /* Free the string for the filename */
- RtlFreeUnicodeString(&SafeFileNames);
- return FALSE;
- }
-
+ /* Do the actual call */
bRet = IntGdiGetFontResourceInfo(&SafeFileNames, &Buffer, &dwBytes,
dwType);
/* Check if succeeded and the buffer is big enough */
@@ -4428,8 +4437,8 @@
}
}
- /* Free the string for the filename */
- RtlFreeUnicodeString(&SafeFileNames);
+ /* Free the string for the safe filenames */
+ ExFreePool(SafeFileNames.Buffer);
return bRet;
}