Author: janderwald Date: Fri Aug 21 20:36:43 2009 New Revision: 42832 URL: http://svn.reactos.org/svn/reactos?rev=42832&view=rev Log: - Fix a few bugs - Bug1 - BufferOverflow - Bug2 - ks expects a '\\' for each pin creation request - Bug3 - ObjectLength was not correctly set, thus truncating the request - Bug4 - Zero byte was not set at correct offset, potentialy leading to a heap overflow Modified: trunk/reactos/dll/directx/ksuser/ksuser.c Modified: trunk/reactos/dll/directx/ksuser/ksuser.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/directx/ksuser/ksuser.… ============================================================================== --- trunk/reactos/dll/directx/ksuser/ksuser.c [iso-8859-1] (original) +++ trunk/reactos/dll/directx/ksuser/ksuser.c [iso-8859-1] Fri Aug 21 20:36:43 2009 @@ -44,18 +44,19 @@ Length = wcslen(IID); - TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 2 * sizeof(WCHAR); + TotalSize = (Length * sizeof(WCHAR)) + BufferSize + 4 * sizeof(WCHAR); pStr = HeapAlloc(GetProcessHeap(), 0, TotalSize); if (!pStr) return STATUS_INSUFFICIENT_RESOURCES; - - wcscpy(pStr, (LPWSTR)IID); - pStr[Length] = L'\\'; - memcpy(&pStr[Length+1], Buffer, BufferSize); - pStr[Length+1+BufferSize] = L'\0'; + pStr[0] = L'\\'; + wcscpy(&pStr[1], (LPWSTR)IID); + pStr[Length+1] = L'\\'; + memcpy(&pStr[Length+2], Buffer, BufferSize); + pStr[Length+3+(BufferSize/sizeof(WCHAR))] = L'\0'; RtlInitUnicodeString(&ObjectName, pStr); + ObjectName.Length = ObjectName.MaximumLength = TotalSize; InitializeObjectAttributes(&ObjectAttributes, &ObjectName, OBJ_CASE_INSENSITIVE, hHandle, NULL);