Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-22 16:36:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix handling of unsafe string parameter in NtGdiGetFontResourceInfoInternalW

Browse source 
svn path=/trunk/; revision=32810
This commit is contained in:
Timo Kreuzer 2008-04-01 18:21:06 +00:00
parent 5e25cba5ab
commit 43d5fa83aa
1 changed files with 22 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
reactos/subsystems/win32/win32k/objects/text.c
View file

@ -4358,6 +4358,7 @@ NtGdiGetFontResourceInfoInternalW(
DWORD dwBytes; DWORD dwBytes;
UNICODE_STRING SafeFileNames; UNICODE_STRING SafeFileNames;
BOOL bRet = FALSE; BOOL bRet = FALSE;
ULONG cbStringSize;
union union
{ {
@ -4375,13 +4376,26 @@ NtGdiGetFontResourceInfoInternalW(
return FALSE; return FALSE;
} }
/* Check buffers and copy pwszFiles */ /* Allocate a safe unicode string buffer */
cbStringSize = cwc * sizeof(WCHAR);
SafeFileNames.MaximumLength = SafeFileNames.Length = cbStringSize - sizeof(WCHAR);
SafeFileNames.Buffer = ExAllocatePoolWithTag(PagedPool,
cbStringSize,
TAG('R','T','S','U'));
if (!SafeFileNames.Buffer)
{
SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
return FALSE;
}
/* Check buffers and copy pwszFiles to safe unicode string */
_SEH_TRY _SEH_TRY
{ {
ProbeForRead(pwszFiles, cwc * sizeof(WCHAR), 1); ProbeForRead(pwszFiles, cbStringSize, 1);
bRet = RtlCreateUnicodeString(&SafeFileNames, pwszFiles);
ProbeForWrite(pdwBytes, sizeof(DWORD), 1); ProbeForWrite(pdwBytes, sizeof(DWORD), 1);
ProbeForWrite(pvBuf, cjIn, 1); ProbeForWrite(pvBuf, cjIn, 1);
RtlCopyMemory(SafeFileNames.Buffer, pwszFiles, cbStringSize);
} }
_SEH_HANDLE _SEH_HANDLE
{ {
@ -4389,20 +4403,15 @@ NtGdiGetFontResourceInfoInternalW(
} }
_SEH_END _SEH_END
if(!bRet)
{
/* Could not create the unicode string, so return instantly */
return FALSE;
}
if(!NT_SUCCESS(Status)) if(!NT_SUCCESS(Status))
{ {
SetLastNtError(Status); SetLastNtError(Status);
/* Free the string for the filename */ /* Free the string buffer for the safe filename */
RtlFreeUnicodeString(&SafeFileNames); ExFreePool(SafeFileNames.Buffer);
return FALSE; return FALSE;
} }
/* Do the actual call */
bRet = IntGdiGetFontResourceInfo(&SafeFileNames, &Buffer, &dwBytes, dwType); bRet = IntGdiGetFontResourceInfo(&SafeFileNames, &Buffer, &dwBytes, dwType);
/* Check if succeeded and the buffer is big enough */ /* Check if succeeded and the buffer is big enough */
@ -4428,8 +4437,8 @@ NtGdiGetFontResourceInfoInternalW(
} }
} }
/* Free the string for the filename */ /* Free the string for the safe filenames */
RtlFreeUnicodeString(&SafeFileNames); ExFreePool(SafeFileNames.Buffer);
return bRet; return bRet;
} }