Author: fireball Date: Wed Dec 5 01:52:05 2007 New Revision: 31010 URL: http://svn.reactos.org/svn/reactos?rev=31010&view=rev Log: Andrey Korotaev <unc0rr(a)mail.ru>ru>: - Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1). Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/nt… ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/misc.c (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/misc.c Wed Dec 5 01:52:05 2007 @@ -2397,10 +2397,10 @@ Src = Dest->Buffer; Dest->Buffer = NULL; + Dest->MaximumLength = Dest->Length; if(Dest->Length > 0 && Src) { - Dest->MaximumLength = Dest->Length; Dest->Buffer = ExAllocatePoolWithTag(PagedPool, Dest->MaximumLength, TAG_STRING); if(!Dest->Buffer) { @@ -2443,6 +2443,7 @@ Src = Dest->Buffer; Dest->Buffer = NULL; + Dest->MaximumLength = 0; if(Dest->Length > 0 && Src) {