[janderwald] 42832: - Fix a few bugs - Bug1 - BufferOverflow - Bug2 - ks expects a '\\' for each pin creation request - Bug3 - ObjectLength was not correctly set, thus truncating the request - Bug4 - Zero byte was not set at correct offset, potentialy leading to a heap overflow - Ros-diffs

21 Aug 2009

Author: janderwald
Date: Fri Aug 21 20:36:43 2009
New Revision: 42832
URL: http://svn.reactos.org/svn/reactos?rev=42832&view=rev
Log:
- Fix a few bugs
- Bug1 - BufferOverflow
- Bug2 - ks expects a '\' for each pin creation request
- Bug3 - ObjectLength was not correctly set, thus truncating the request
- Bug4 - Zero byte was not set at correct offset, potentialy leading to a heap overflow
Modified:
    trunk/reactos/dll/directx/ksuser/ksuser.c
Modified: trunk/reactos/dll/directx/ksuser/ksuser.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/directx/ksuser/ksuser.c...
==============================================================================

--- trunk/reactos/dll/directx/ksuser/ksuser.c [iso-8859-1] (original)
+++ trunk/reactos/dll/directx/ksuser/ksuser.c [iso-8859-1] Fri Aug 21 20:36:43 2009
@@ -44,18 +44,19 @@
Length = wcslen(IID);
-    TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 2 * sizeof(WCHAR);
+    TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 4 * sizeof(WCHAR);
pStr = HeapAlloc(GetProcessHeap(), 0, TotalSize);
     if (!pStr)
         return STATUS_INSUFFICIENT_RESOURCES;
-
-    wcscpy(pStr, (LPWSTR)IID);
-    pStr[Length] = L'\';
-    memcpy(&pStr[Length+1], Buffer, BufferSize);
-    pStr[Length+1+BufferSize] = L'\0';
+    pStr[0] = L'\';
+    wcscpy(&pStr[1], (LPWSTR)IID);
+    pStr[Length+1] = L'\';
+    memcpy(&pStr[Length+2], Buffer, BufferSize);
+    pStr[Length+3+(BufferSize/sizeof(WCHAR))] = L'\0';
RtlInitUnicodeString(&ObjectName, pStr);
+    ObjectName.Length = ObjectName.MaximumLength = TotalSize;
InitializeObjectAttributes(&ObjectAttributes, &ObjectName, OBJ_CASE_INSENSITIVE, hHandle, NULL);

    