[RTL]

- Fix a buffer overflow in RtlSetBits/RtlClearBits svn path=/trunk/; revision=64867
2025-01-01 03:54:02 +00:00 · 2014-10-21 14:22:28 +00:00 · 2014-10-21 14:22:28 +00:00 · 268d1c62fe
commit 268d1c62fe
parent dfde71668b
2 changed files with 20 additions and 4 deletions
--- a/reactos/lib/rtl/bitmap.c
+++ b/reactos/lib/rtl/bitmap.c
@ -362,8 +362,11 @@ RtlClearBits(

    /* Clear what's left */
    NumberToClear &= (_BITCOUNT - 1);
-    Mask = MAXINDEX << NumberToClear;
-    *Buffer &= Mask;
+    if (NumberToClear)
+    {
+        Mask = MAXINDEX << NumberToClear;
+        *Buffer &= Mask;
+    }
 }

 VOID
@ -419,8 +422,11 @@ RtlSetBits(

    /* Set what's left */
    NumberToSet &= (_BITCOUNT - 1);
-    Mask = MAXINDEX << NumberToSet;
-    *Buffer |= ~Mask;
+    if (NumberToSet)
+    {
+        Mask = MAXINDEX << NumberToSet;
+        *Buffer |= ~Mask;
+    }
 }

 BOOLEAN
--- a/rostests/apitests/ntdll/RtlBitmap.c
+++ b/rostests/apitests/ntdll/RtlBitmap.c
@ -200,6 +200,11 @@ Test_RtlClearBits(void)
    ok_hex(Buffer[0], 0x00001fff);
    ok_hex(Buffer[1], 0xfffffff8);

+    memset(Buffer, 0xff, BufferSize);
+    RtlClearBits(&BitMapHeader, 63, 1);
+    ok_hex(Buffer[0], 0xffffffff);
+    ok_hex(Buffer[1], 0x7fffffff);
+
    memset(Buffer, 0xcc, BufferSize);
    RtlClearBits(&BitMapHeader, 3, 6);
    RtlClearBits(&BitMapHeader, 11, 5);
@ -245,6 +250,11 @@ Test_RtlSetBits(void)
    ok_hex(Buffer[0], 0xffffe000);
    ok_hex(Buffer[1], 0x00000007);

+    memset(Buffer, 0x00, BufferSize);
+    RtlSetBits(&BitMapHeader, 63, 1);
+    ok_hex(Buffer[0], 0x00000000);
+    ok_hex(Buffer[1], 0x80000000);
+
    memset(Buffer, 0xcc, BufferSize);
    RtlSetBits(&BitMapHeader, 3, 6);
    RtlSetBits(&BitMapHeader, 11, 5);