https://git.reactos.org/?p=reactos.git;a=commitdiff;h=96ae15ac4bfa3c43fe08a… commit 96ae15ac4bfa3c43fe08aa959f58fd8a1449e8e0 Author: Jérôme Gardou &lt;jerome.gardou(a)reactos.org&gt; AuthorDate: Tue Dec 15 10:07:27 2020 +0100 Commit: Jérôme Gardou &lt;jerome.gardou(a)reactos.org&gt; CommitDate: Tue Dec 15 10:08:25 2020 +0100 [NTOS:MM] Fix more 64 bit arithmetics --- ntoskrnl/mm/ARM3/section.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/ntoskrnl/mm/ARM3/section.c b/ntoskrnl/mm/ARM3/section.c index 347f3ca4074..02ead9a70a5 100644 --- a/ntoskrnl/mm/ARM3/section.c +++ b/ntoskrnl/mm/ARM3/section.c @@ -1299,6 +1299,14 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea, { /* The caller did not, so pick a 64K aligned view size based on the offset */ SectionOffset->LowPart &= ~(_64K - 1); + + /* Make sure that we will not overflow */ + if ((Section->SizeOfSection.QuadPart - SectionOffset->QuadPart) > MAXLONG_PTR) + { + MiDereferenceControlArea(ControlArea); + return STATUS_INVALID_VIEW_SIZE; + } + *ViewSize = (SIZE_T)(Section->SizeOfSection.QuadPart - SectionOffset->QuadPart); } else @@ -1306,6 +1314,13 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea, /* A size was specified, align it to a 64K boundary */ *ViewSize += SectionOffset->LowPart & (_64K - 1); + /* Check for overflow or huge value */ + if ((*ViewSize < (SectionOffset->LowPart & (_64K - 1))) || ((*ViewSize) > MAXLONG_PTR)) + { + MiDereferenceControlArea(ControlArea); + return STATUS_INVALID_VIEW_SIZE; + } + /* Align the offset as well to make this an aligned map */ SectionOffset->LowPart &= ~((ULONG)_64K - 1); } @@ -1313,13 +1328,6 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea, /* We must be dealing with a 64KB aligned offset. This is a Windows ASSERT */ ASSERT((SectionOffset->LowPart & ((ULONG)_64K - 1)) == 0); - /* It's illegal to try to map more than overflows a LONG_PTR */ - if (*ViewSize >= MAXLONG_PTR) - { - MiDereferenceControlArea(ControlArea); - return STATUS_INVALID_VIEW_SIZE; - } - /* Windows ASSERTs for this flag */ ASSERT(ControlArea->u.Flags.GlobalOnlyPerSession == 0); @@ -1535,7 +1543,10 @@ MiCreatePagingFileMap(OUT PSEGMENT *Segment, SizeLimit <<= PAGE_SHIFT; /* Fail if this size is too big */ - if (MaximumSize->QuadPart > SizeLimit) return STATUS_SECTION_TOO_BIG; + if (MaximumSize->QuadPart > SizeLimit) + { + return STATUS_SECTION_TOO_BIG; + } /* Calculate how many Prototype PTEs will be needed */ PteCount = (PFN_COUNT)((MaximumSize->QuadPart + PAGE_SIZE - 1) >> PAGE_SHIFT); @@ -1592,7 +1603,7 @@ MiCreatePagingFileMap(OUT PSEGMENT *Segment, /* Save some extra accounting data for the segment as well */ NewSegment->u1.CreatingProcess = PsGetCurrentProcess(); - NewSegment->SizeOfSegment = PteCount * PAGE_SIZE; + NewSegment->SizeOfSegment = ((ULONGLONG)PteCount) * PAGE_SIZE; NewSegment->TotalNumberOfPtes = PteCount; NewSegment->NonExtendedPtes = PteCount;