mirror of
https://github.com/reactos/reactos.git
synced 2024-07-01 02:10:07 +00:00
Andrey Korotaev <unc0rr@mail.ru>:
- Never trust MaximumLength passed from usermode when copying a unicode string (fixes a wide amount of crashes, tested with CdrLabel 4.1). svn path=/trunk/; revision=31010
This commit is contained in:
parent
98a17200e4
commit
729df301cd
|
@ -2397,10 +2397,10 @@ IntSafeCopyUnicodeString(PUNICODE_STRING Dest,
|
|||
|
||||
Src = Dest->Buffer;
|
||||
Dest->Buffer = NULL;
|
||||
Dest->MaximumLength = Dest->Length;
|
||||
|
||||
if(Dest->Length > 0 && Src)
|
||||
{
|
||||
Dest->MaximumLength = Dest->Length;
|
||||
Dest->Buffer = ExAllocatePoolWithTag(PagedPool, Dest->MaximumLength, TAG_STRING);
|
||||
if(!Dest->Buffer)
|
||||
{
|
||||
|
@ -2443,6 +2443,7 @@ IntSafeCopyUnicodeStringTerminateNULL(PUNICODE_STRING Dest,
|
|||
|
||||
Src = Dest->Buffer;
|
||||
Dest->Buffer = NULL;
|
||||
Dest->MaximumLength = 0;
|
||||
|
||||
if(Dest->Length > 0 && Src)
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue