https://git.reactos.org/?p=reactos.git;a=commitdiff;h=d519b11a286819d9d00e9…
commit d519b11a286819d9d00e986ed07778a17790f7ed
Author: Katayama Hirofumi MZ <katayama.hirofumi.mz(a)gmail.com>
AuthorDate: Mon Aug 8 21:23:49 2022 +0900
Commit: GitHub <noreply(a)github.com>
CommitDate: Mon Aug 8 21:23:49 2022 +0900
[NTUSER] Security: Follow-up of #4595 (#4598)
Improve security. CORE-11700
---
win32ss/user/ntuser/kbdlayout.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/win32ss/user/ntuser/kbdlayout.c b/win32ss/user/ntuser/kbdlayout.c
index a91a641e994..09e0f677f38 100644
--- a/win32ss/user/ntuser/kbdlayout.c
+++ b/win32ss/user/ntuser/kbdlayout.c
@@ -654,7 +654,8 @@ NtUserGetKeyboardLayoutName(
BOOL bRet = FALSE;
PKL pKl;
PTHREADINFO pti;
- UNICODE_STRING ustrTemp;
+ UNICODE_STRING ustrNameSafe;
+ NTSTATUS Status;
UserEnterShared();
@@ -667,24 +668,32 @@ NtUserGetKeyboardLayoutName(
_SEH2_TRY
{
ProbeForWriteUnicodeString(pustrName);
- ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1);
+ ustrNameSafe = *pustrName;
+
+ ProbeForWrite(ustrNameSafe.Buffer, ustrNameSafe.MaximumLength, 1);
if (IS_IME_HKL(pKl->hkl))
{
- RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, pustrName);
+ Status = RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16,
&ustrNameSafe);
}
else
{
- if (pustrName->MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
+ if (ustrNameSafe.MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
{
EngSetLastError(ERROR_INVALID_PARAMETER);
goto cleanup;
}
- RtlInitUnicodeString(&ustrTemp, pKl->spkf->awchKF); /* FIXME: Do
not use awchKF */
- RtlCopyUnicodeString(pustrName, &ustrTemp);
+
+ /* FIXME: Do not use awchKF */
+ ustrNameSafe.Length = 0;
+ Status = RtlAppendUnicodeToString(&ustrNameSafe,
pKl->spkf->awchKF);
}
- bRet = TRUE;
+ if (NT_SUCCESS(Status))
+ {
+ *pustrName = ustrNameSafe;
+ bRet = TRUE;
+ }
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{