[reactos] 01/01: [SETUPAPI] CM_Request_Device_Eject_ExA/W: Fix pszVetoName buffer size validation (#5943) - Ros-diffs

22 Nov 2023

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=7f346b1aa350942540c7de...
commit 7f346b1aa350942540c7dee9fce3869bea2a72a6
Author:     Thamatip Chitpong thamatip.chitpong@reactos.org
AuthorDate: Wed Nov 22 08:58:27 2023 +0700
Commit:     GitHub noreply@github.com
CommitDate: Wed Nov 22 08:58:27 2023 +0700
[SETUPAPI] CM_Request_Device_Eject_ExA/W: Fix pszVetoName buffer size validation (#5943)
- Return CR_INVALID_POINTER if pszVetoName is NULL and ulNameLength is not zero
    - CM_Request_Device_Eject_ExA: Allow ulNameLength to be zero when pszVetoName is not NULL
Verified with Windows 2003 SP2.
---
 dll/win32/setupapi/cfgmgr.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/dll/win32/setupapi/cfgmgr.c b/dll/win32/setupapi/cfgmgr.c
index 4a4e18ad621..3ab1d6969ce 100644
--- a/dll/win32/setupapi/cfgmgr.c
+++ b/dll/win32/setupapi/cfgmgr.c
@@ -7483,22 +7483,25 @@ CM_Request_Device_Eject_ExA(
     _In_ ULONG ulFlags,
     _In_opt_ HMACHINE hMachine)
 {
-    LPWSTR lpLocalVetoName;
+    LPWSTR lpLocalVetoName = NULL;
     CONFIGRET ret;
TRACE("CM_Request_Device_Eject_ExA(%lx %p %s %lu %lx %p)\n",
           dnDevInst, pVetoType, debugstr_a(pszVetoName), ulNameLength, ulFlags, hMachine);
-    if (pszVetoName == NULL && ulNameLength == 0)
-        return CR_INVALID_POINTER;
+    if (ulNameLength != 0)
+    {
+        if (pszVetoName == NULL)
+            return CR_INVALID_POINTER;
-    lpLocalVetoName = HeapAlloc(GetProcessHeap(), 0, ulNameLength * sizeof(WCHAR));
-    if (lpLocalVetoName == NULL)
-        return CR_OUT_OF_MEMORY;
+        lpLocalVetoName = HeapAlloc(GetProcessHeap(), 0, ulNameLength * sizeof(WCHAR));
+        if (lpLocalVetoName == NULL)
+            return CR_OUT_OF_MEMORY;
+    }
ret = CM_Request_Device_Eject_ExW(dnDevInst, pVetoType, lpLocalVetoName,
                                       ulNameLength, ulFlags, hMachine);
-    if (ret == CR_REMOVE_VETOED)
+    if (ret == CR_REMOVE_VETOED && ulNameLength != 0)
     {
         if (WideCharToMultiByte(CP_ACP,
                                 0,
@@ -7544,7 +7547,7 @@ CM_Request_Device_Eject_ExW(
     if (ulFlags != 0)
         return CR_INVALID_FLAG;
-    if (pszVetoName == NULL && ulNameLength == 0)
+    if (pszVetoName == NULL && ulNameLength != 0)
         return CR_INVALID_POINTER;
if (hMachine != NULL)

    