[fireball] 31010: Andrey Korotaev <unc0rr@mail.ru>: - Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1). - Ros-diffs

4 Dec 2007

Author: fireball
Date: Wed Dec  5 01:52:05 2007
New Revision: 31010
URL: http://svn.reactos.org/svn/reactos?rev=31010&view=rev
Log:
Andrey Korotaev unc0rr@mail.ru:
- Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1).
Modified:
    trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu...
==============================================================================

--- trunk/reactos/subsystems/win32/win32k/ntuser/misc.c (original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/misc.c Wed Dec  5 01:52:05 2007
@@ -2397,10 +2397,10 @@
Src = Dest->Buffer;
    Dest->Buffer = NULL;
+   Dest->MaximumLength = Dest->Length;
if(Dest->Length > 0 && Src)
    {
-      Dest->MaximumLength = Dest->Length;
       Dest->Buffer = ExAllocatePoolWithTag(PagedPool, Dest->MaximumLength, TAG_STRING);
       if(!Dest->Buffer)
       {
@@ -2443,6 +2443,7 @@
Src = Dest->Buffer;
    Dest->Buffer = NULL;
+   Dest->MaximumLength = 0;
if(Dest->Length > 0 && Src)
    {

    