[tfaber] 74403: [USER32] Fix heap corruption in EnumDisplaySettingsExA/W: - Do not overwrite the user-provided buffer size in dmDriverExtra - Fix broken pointer arithmetic CORE-13097 - Ros-diffs

24 Apr 2017

Author: tfaber
Date: Mon Apr 24 15:04:00 2017
New Revision: 74403

URL: http://svn.reactos.org/svn/reactos?rev=74403&view=rev
Log:
[USER32]
Fix heap corruption in EnumDisplaySettingsExA/W:
- Do not overwrite the user-provided buffer size in dmDriverExtra
- Fix broken pointer arithmetic
CORE-13097

Modified:
    trunk/reactos/win32ss/user/user32/misc/display.c

Modified: trunk/reactos/win32ss/user/user32/misc/display.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/win32ss/user/user32/misc/d…
==============================================================================

--- trunk/reactos/win32ss/user/user32/misc/display.c	[iso-8859-1] (original)
+++ trunk/reactos/win32ss/user/user32/misc/display.c	[iso-8859-1] Mon Apr 24 15:04:00
2017
@@ -238,7 +238,6 @@
         COPYS(dmDeviceName, CCHDEVICENAME);
         COPYN(dmSpecVersion);
         COPYN(dmDriverVersion);
-        COPYN(dmDriverExtra);
         COPYN(dmFields);
         COPYN(dmPosition.x);
         COPYN(dmPosition.y);
@@ -288,7 +287,9 @@
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
 
             /* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
 
         /* If the size of source structure is less, than used, we clean unsupported flags
*/
@@ -363,14 +364,16 @@
     Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode,
dwFlags);
     if (NT_SUCCESS(Status))
     {
-        /* Store old structure size */
+        /* Store old structure sizes */
         WORD OldSize = lpDevMode->dmSize;
+        WORD OldDriverExtra = lpDevMode->dmDriverExtra;
 
         /* Copy general data */
         RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize);
 
-        /* Restore old size */
+        /* Restore old sizes */
         lpDevMode->dmSize = OldSize;
+        lpDevMode->dmDriverExtra = OldDriverExtra;
 
         /* Extra data presented? */
         if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra)
@@ -380,7 +383,9 @@
                 lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
 
             /* Copy extra data */
-            RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
+            RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
+                          lpExtendedDevMode + 1,
+                          lpDevMode->dmDriverExtra);
         }
 
         /* If the size of source structure is less, than used, we clean unsupported flags
*/



    