[NTOSKRNL] Fix some possible overruns in FsRtlIsNameInExpressionPrivate + add a test from Thomas. CORE-12121

svn path=/trunk/; revision=73765
2025-07-31 19:21:38 +00:00 · 2017-02-09 00:12:36 +00:00 · 2017-02-09 00:12:36 +00:00 · 4e9706e794
commit 4e9706e794
parent 9e0186b983
2 changed files with 7 additions and 4 deletions
--- a/reactos/ntoskrnl/fsrtl/name.c
+++ b/reactos/ntoskrnl/fsrtl/name.c
@ -113,7 +113,7 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
        if (NamePosition >= Name->Length / sizeof(WCHAR))
        {
            EndOfName = TRUE;
-            if (OldBackTracking[MatchingChars - 1] == Expression->Length * 2)
+            if (MatchingChars && (OldBackTracking[MatchingChars - 1] == Expression->Length * 2))
                break;
        }

@ -155,8 +155,8 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
                }

                /* Basic check to test if chars are equal */
-                CompareChar = IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
-                                           Name->Buffer[NamePosition];
+                CompareChar = (NamePosition >= Name->Length / sizeof(WCHAR)) ? UNICODE_NULL : (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
+                                           Name->Buffer[NamePosition]);
                if (Expression->Buffer[ExpressionPosition / sizeof(WCHAR)] == CompareChar && !EndOfName)
                {
                    BackTracking[BackTrackingPosition++] = (ExpressionPosition + sizeof(WCHAR)) * 2;
@ -233,7 +233,7 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
    }

    /* Store result value */
-    Result = (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2));
+    Result = MatchingChars > 0 && (OldBackTracking[MatchingChars - 1] == (Expression->Length * 2));

    /* Frees the memory if necessary */
    if (BackTracking != BackTrackingBuffer && BackTracking != OldBackTrackingBuffer)
--- a/rostests/kmtests/ntos_fsrtl/FsRtlExpression.c
+++ b/rostests/kmtests/ntos_fsrtl/FsRtlExpression.c
@ -173,6 +173,9 @@ struct
    { L"a>>>exe",               L"ac.exe",                      FALSE,  FALSE,  FALSE },
    { L"<.exe",                 L"test.exe",                    FALSE,  FALSE,  TRUE },
    { L"<.EXE",                 L"test.exe",                    TRUE,   FALSE,  TRUE },
+    { L"*_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.*.*_*_*.MANIFEST",
+                                L"X86_MICROSOFT.VC90.ATL_1FC8B3B9A1E18E3B_9.0.30729.6161_X-WW_92453BB7.CAT",
+                                                                FALSE,  FALSE,  FALSE },
 };

 static VOID FsRtlIsNameInExpressionTest()