From 72bb12e96c5c2256d21f886869573e72a600ddda Mon Sep 17 00:00:00 2001
From: Hartmut Birr <osexpert@googlemail.com>
Date: Sat, 30 Aug 2003 14:49:41 +0000
Subject: [PATCH] - Allocate a separate name buffer in RtlQueryRegistryValues.
 - Fixed a name parameter in a call to the callers supplied query routine.

svn path=/trunk/; revision=5936
---
 reactos/lib/ntdll/rtl/registry.c | 56 +++++++++++++++++++++++++-------
 reactos/ntoskrnl/cm/rtlfunc.c    | 35 +++++++++++++++++---
 2 files changed, 76 insertions(+), 15 deletions(-)

diff --git a/reactos/lib/ntdll/rtl/registry.c b/reactos/lib/ntdll/rtl/registry.c
index 371d6d219a2..4dd04bd8363 100644
--- a/reactos/lib/ntdll/rtl/registry.c
+++ b/reactos/lib/ntdll/rtl/registry.c
@@ -1,4 +1,4 @@
-/* $Id: registry.c,v 1.23 2003/08/14 14:52:13 ekohl Exp $
+/* $Id: registry.c,v 1.24 2003/08/30 14:47:36 hbirr Exp $
  *
  * COPYRIGHT:         See COPYING in the top level directory
  * PROJECT:           ReactOS kernel
@@ -184,8 +184,10 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
   ULONG ResultSize;
   ULONG Index;
   ULONG StringLen;
+  ULONG ValueNameSize;
   PWSTR StringPtr;
   PWSTR ExpandBuffer;
+  PWSTR ValueName;
   UNICODE_STRING EnvValue;
   UNICODE_STRING EnvExpandedValue;
 
@@ -350,7 +352,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		  RtlInitUnicodeString(&EnvValue,
 				       (PWSTR)ValueInfo->Data);
 		  EnvExpandedValue.Length = 0;
-		  EnvExpandedValue.MaximumLength = ValueInfo->DataLength * 2 * sizeof(WCHAR);
+		  EnvExpandedValue.MaximumLength = ValueInfo->DataLength * 2;
 		  EnvExpandedValue.Buffer = ExpandBuffer;
 		  *ExpandBuffer = 0;
 
@@ -484,7 +486,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 						&StringLen);
 
 		  StringLen = (wcslen(ExpandBuffer) + 1) * sizeof(WCHAR);
-		  Status = QueryEntry->QueryRoutine(FullValueInfo->Name,
+		  Status = QueryEntry->QueryRoutine(QueryEntry->Name,
 						    REG_SZ,
 						    (PVOID)ExpandBuffer,
 						    StringLen,
@@ -537,13 +539,21 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 	      FullValueInfo = RtlAllocateHeap(RtlGetProcessHeap(),
 					      0,
 					      BufferSize);
-	      if (FullValueInfo == NULL)
+              if (FullValueInfo == NULL)
 		{
 		  Status = STATUS_NO_MEMORY;
 		  break;
 		}
-
-	      Index = 0;
+	      ValueNameSize = 256 * sizeof(WCHAR);
+	      ValueName = RtlAllocateHeap(RtlGetProcessHeap(),
+					  0,
+					  ValueNameSize);
+	      if (ValueName == NULL)
+	        {
+		  Status = STATUS_NO_MEMORY;
+		  break;
+		}
+              Index = 0;
 	      while (TRUE)
 		{
 		  Status = NtEnumerateValueKey(CurrentKeyHandle,
@@ -567,6 +577,28 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		      break;
 		    }
 
+		  if (FullValueInfo->NameLength > ValueNameSize - sizeof(WCHAR))
+		    {
+		      /* Should not happen, because the name length is limited to 255 characters */
+		      RtlFreeHeap(RtlGetProcessHeap(),
+			          0,
+				  ValueName);
+		      ValueNameSize = FullValueInfo->NameLength + sizeof(WCHAR);
+                      ValueName = RtlAllocateHeap(RtlGetProcessHeap(),
+		                                  0,
+                                                  ValueNameSize);
+		      if (ValueName == NULL)
+		        {
+		          Status = STATUS_NO_MEMORY;
+		          break;
+		        }
+		    }
+
+		  memcpy(ValueName,
+                         FullValueInfo->Name,
+			 FullValueInfo->NameLength);
+		  ValueName[FullValueInfo->NameLength / sizeof(WCHAR)] = 0;
+
 		  DPRINT("FullValueInfo->Type: %lu\n", FullValueInfo->Type);
 		  if ((FullValueInfo->Type == REG_MULTI_SZ) &&
 		      !(QueryEntry->Flags & RTL_QUERY_REGISTRY_NOEXPAND))
@@ -576,7 +608,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		      while (*StringPtr != 0)
 			{
 			  StringLen = (wcslen(StringPtr) + 1) * sizeof(WCHAR);
-			  Status = QueryEntry->QueryRoutine(QueryEntry->Name,
+			  Status = QueryEntry->QueryRoutine(ValueName,
 							    REG_SZ,
 							    (PVOID)StringPtr,
 							    StringLen,
@@ -605,7 +637,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		      RtlInitUnicodeString(&EnvValue,
 					   StringPtr);
 		      EnvExpandedValue.Length = 0;
-		      EnvExpandedValue.MaximumLength = FullValueInfo->DataLength * 2 * sizeof(WCHAR);
+		      EnvExpandedValue.MaximumLength = FullValueInfo->DataLength * 2;
 		      EnvExpandedValue.Buffer = ExpandBuffer;
 		      *ExpandBuffer = 0;
 
@@ -615,7 +647,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 						    &StringLen);
 
 		      StringLen = (wcslen(ExpandBuffer) + 1) * sizeof(WCHAR);
-		      Status = QueryEntry->QueryRoutine(FullValueInfo->Name,
+		      Status = QueryEntry->QueryRoutine(ValueName,
 							REG_SZ,
 							(PVOID)ExpandBuffer,
 							StringLen,
@@ -628,7 +660,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		    }
 		  else
 		    {
-		      Status = QueryEntry->QueryRoutine(FullValueInfo->Name,
+		      Status = QueryEntry->QueryRoutine(ValueName,
 							FullValueInfo->Type,
 							(PVOID)FullValueInfo + FullValueInfo->DataOffset,
 							FullValueInfo->DataLength,
@@ -647,7 +679,9 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 	      RtlFreeHeap(RtlGetProcessHeap(),
 			  0,
 			  FullValueInfo);
-
+	      RtlFreeHeap(RtlGetProcessHeap(),
+		          0,
+			  ValueName);
 	      if (!NT_SUCCESS(Status))
 		break;
 	    }
diff --git a/reactos/ntoskrnl/cm/rtlfunc.c b/reactos/ntoskrnl/cm/rtlfunc.c
index ddf799a5237..639f2cf726b 100644
--- a/reactos/ntoskrnl/cm/rtlfunc.c
+++ b/reactos/ntoskrnl/cm/rtlfunc.c
@@ -13,7 +13,6 @@
 #include <internal/ob.h>
 #include <limits.h>
 #include <string.h>
-#include <internal/pool.h>
 #include <internal/registry.h>
 
 #define NDEBUG
@@ -157,9 +156,11 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
   PKEY_VALUE_FULL_INFORMATION FullValueInfo;
   ULONG BufferSize;
   ULONG ResultSize;
+  ULONG ValueNameSize;
   ULONG Index;
   ULONG StringLen;
   PWSTR StringPtr;
+  PWSTR ValueName;
 
   DPRINT("RtlQueryRegistryValues() called\n");
 
@@ -412,7 +413,14 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		  Status = STATUS_NO_MEMORY;
 		  break;
 		}
-
+              ValueNameSize = 256 * sizeof(WCHAR);
+	      ValueName = ExAllocatePool(PagedPool,
+		                         ValueNameSize);
+	      if (ValueName == NULL)
+	        {
+		  Status = STATUS_NO_MEMORY;
+		  break;
+		}
 	      Index = 0;
 	      while (TRUE)
 		{
@@ -437,6 +445,24 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		      break;
 		    }
 
+                  if (FullValueInfo->NameLength > ValueNameSize - sizeof(WCHAR))
+		    {
+		      /* Should not happen, because the name length is limited to 255 characters */
+		      ExFreePool(ValueName);
+		      ValueNameSize = FullValueInfo->NameLength + sizeof(WCHAR);
+		      ValueName = ExAllocatePool(PagedPool, ValueNameSize);
+		      if (ValueName == NULL)
+		        {
+			  Status = STATUS_NO_MEMORY;
+			  break;
+			}
+		    }
+
+	          RtlCopyMemory(ValueName, 
+		                FullValueInfo->Name,
+				FullValueInfo->NameLength);
+		  ValueName[FullValueInfo->NameLength / sizeof(WCHAR)] = 0;
+
 		  if ((FullValueInfo->Type == REG_MULTI_SZ) &&
 		      !(QueryEntry->Flags & RTL_QUERY_REGISTRY_NOEXPAND))
 		    {
@@ -446,7 +472,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		      while (*StringPtr != 0)
 			{
 			  StringLen = (wcslen(StringPtr) + 1) * sizeof(WCHAR);
-			  Status = QueryEntry->QueryRoutine(QueryEntry->Name,
+			  Status = QueryEntry->QueryRoutine(ValueName,
 							    REG_SZ,
 							    (PVOID)StringPtr,
 							    StringLen,
@@ -459,7 +485,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		    }
 		  else
 		    {
-		      Status = QueryEntry->QueryRoutine(FullValueInfo->Name,
+		      Status = QueryEntry->QueryRoutine(ValueName,
 							FullValueInfo->Type,
 							(PVOID)FullValueInfo + FullValueInfo->DataOffset,
 							FullValueInfo->DataLength,
@@ -476,6 +502,7 @@ RtlQueryRegistryValues(IN ULONG RelativeTo,
 		}
 
 	      ExFreePool(FullValueInfo);
+	      ExFreePool(ValueName);
 
 	      if (!NT_SUCCESS(Status))
 		break;