Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-05 22:43:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

[WIN32SS] Fix buffer overflow in MDEVOBJ when having more than 10 display devices

Browse source
This commit is contained in:
Hervé Poussineau 2022-04-18 19:49:31 +02:00
parent 8897a890c9
commit 2c391b1eab
2 changed files with 25 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

20
win32ss/gdi/eng/mdevobj.c
View file

@ -73,7 +73,7 @@ MDEVOBJ_Create(
pdm ? pdm->dmBitsPerPel : 0, pdm ? pdm->dmBitsPerPel : 0,
pdm ? pdm->dmDisplayFrequency : 0); pdm ? pdm->dmDisplayFrequency : 0);
pmdev = ExAllocatePoolZero(PagedPool, sizeof(MDEVOBJ), GDITAG_MDEV); pmdev = ExAllocatePoolZero(PagedPool, sizeof(MDEVOBJ) + sizeof(MDEVDISPLAY), GDITAG_MDEV);
if (!pmdev) if (!pmdev)
{ {
ERR("Failed to allocate memory for MDEV\n"); ERR("Failed to allocate memory for MDEV\n");
@ -170,6 +170,24 @@ MDEVOBJ_Create(
if (ppdev) if (ppdev)
{ {
/* Great. We have a found a matching PDEV. Store it in MDEV */ /* Great. We have a found a matching PDEV. Store it in MDEV */
if (pmdev->cDev >= 1)
{
/* We have to reallocate MDEV to add space for the new display */
PMDEVOBJ pmdevBigger = ExAllocatePoolZero(PagedPool, sizeof(MDEVOBJ) + (pmdev->cDev + 1) * sizeof(MDEVDISPLAY), GDITAG_MDEV);
if (!pmdevBigger)
{
WARN("Failed to allocate memory for MDEV. Skipping display '%S'\n", pGraphicsDevice->szWinDeviceName);
continue;
}
else
{
/* Copy existing data */
RtlCopyMemory(pmdevBigger, pmdev, sizeof(MDEVOBJ) + pmdev->cDev * sizeof(MDEVDISPLAY));
ExFreePoolWithTag(pmdev, GDITAG_MDEV);
pmdev = pmdevBigger;
}
}
TRACE("Adding '%S' to MDEV %p\n", pGraphicsDevice->szWinDeviceName, pmdev); TRACE("Adding '%S' to MDEV %p\n", pGraphicsDevice->szWinDeviceName, pmdev);
PDEVOBJ_vReference(ppdev); PDEVOBJ_vReference(ppdev);
pmdev->dev[pmdev->cDev].ppdev = ppdev; pmdev->dev[pmdev->cDev].ppdev = ppdev;

10
win32ss/gdi/eng/mdevobj.h
View file

@ -5,14 +5,16 @@
typedef struct _PDEVOBJ *PPDEVOBJ; typedef struct _PDEVOBJ *PPDEVOBJ;
typedef struct _MDEVDISPLAY
{
PPDEVOBJ ppdev;
} MDEVDISPLAY, *PMDEVDISPLAY;
typedef struct _MDEVOBJ typedef struct _MDEVOBJ
{ {
ULONG cDev; ULONG cDev;
PPDEVOBJ ppdevGlobal; PPDEVOBJ ppdevGlobal;
struct MDEVDISPLAY dev[0];
{
PPDEVOBJ ppdev;
} dev[10]; /* FIXME: max number of displays. Needs dynamic allocation */
} MDEVOBJ, *PMDEVOBJ; } MDEVOBJ, *PMDEVOBJ;
/* Globals ********************************************************************/ /* Globals ********************************************************************/