[KERNEL32]

Clean-up IntReadConsoleOutputCode a little bit. [CONSRV] Fix a buffer overflow in SrvReadConsoleOutputString, which was translated sometimes into heap corruption and assert, triggered when freeing a remote captured buffer in csrsrv, when executing kernel32_winetest console, just during a call to ReadConsoleOutputCharacterA. Nevertheless I still keep the culprit code (commented-out now) because it might be useful in the future. svn path=/branches/ros-csrss/; revision=58229
2025-08-07 17:03:01 +00:00 · 2013-01-26 19:07:59 +00:00 · 2013-01-26 19:07:59 +00:00 · 7846f054ff
commit 7846f054ff
parent 6d28ec8640
2 changed files with 28 additions and 35 deletions
--- a/dll/win32/kernel32/client/console/readwrite.c
+++ b/dll/win32/kernel32/client/console/readwrite.c
@ -351,33 +351,26 @@ IntReadConsoleOutputCode(HANDLE hConsoleOutput,
    ReadOutputCodeRequest->CodeType = CodeType;
    ReadOutputCodeRequest->ReadCoord = dwReadCoord;
-    // while (nLength > 0)
+    ReadOutputCodeRequest->NumCodesToRead = nLength;
    Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage,
                                 CaptureBuffer,
                                 CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString),
                                 sizeof(CONSOLE_READOUTPUTCODE));
    if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status))
    {
-        ReadOutputCodeRequest->NumCodesToRead = nLength;
+        BaseSetLastNTError(Status);
-        // SizeBytes = ReadOutputCodeRequest->NumCodesToRead * CodeSize;
+        CsrFreeCaptureBuffer(CaptureBuffer);
-
+        return FALSE;
        Status = CsrClientCallServer((PCSR_API_MESSAGE)&ApiMessage,
                                     CaptureBuffer,
                                     CSR_CREATE_API_NUMBER(CONSRV_SERVERDLL_INDEX, ConsolepReadConsoleOutputString),
                                     sizeof(CONSOLE_READOUTPUTCODE));
        if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = ApiMessage.Status))
        {
            BaseSetLastNTError(Status);
            CsrFreeCaptureBuffer(CaptureBuffer);
            return FALSE;
        }
        BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize;
        memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead);
        // pCode = (PVOID)((ULONG_PTR)pCode + /*(ULONG_PTR)*/BytesRead);
        // nLength -= ReadOutputCodeRequest->CodesRead;
        // CodesRead += ReadOutputCodeRequest->CodesRead;
        ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord;
    }
    BytesRead = ReadOutputCodeRequest->CodesRead * CodeSize;
    memcpy(pCode, ReadOutputCodeRequest->pCode.pCode, BytesRead);
    ReadOutputCodeRequest->ReadCoord = ReadOutputCodeRequest->EndCoord;
    if (lpNumberOfCodesRead != NULL)
-        *lpNumberOfCodesRead = /*CodesRead;*/ ReadOutputCodeRequest->CodesRead;
+        *lpNumberOfCodesRead = ReadOutputCodeRequest->CodesRead;
    CsrFreeCaptureBuffer(CaptureBuffer);
--- a/win32ss/user/consrv/conoutput.c
+++ b/win32ss/user/consrv/conoutput.c
@ -862,20 +862,20 @@ CSR_API(SrvReadConsoleOutputString)
        }
    }
-    switch (CodeType)
+    // switch (CodeType)
-    {
+    // {
-        case CODE_UNICODE:
+        // case CODE_UNICODE:
-            *(PWCHAR)ReadBuffer = 0;
+            // *(PWCHAR)ReadBuffer = 0;
-            break;
+            // break;
-        case CODE_ASCII:
+        // case CODE_ASCII:
-            *(PCHAR)ReadBuffer = 0;
+            // *(PCHAR)ReadBuffer = 0;
-            break;
+            // break;
-        case CODE_ATTRIBUTE:
+        // case CODE_ATTRIBUTE:
-            *(PWORD)ReadBuffer = 0;
+            // *(PWORD)ReadBuffer = 0;
-            break;
+            // break;
-    }
+    // }
    ReadOutputCodeRequest->EndCoord.X = Xpos;
    ReadOutputCodeRequest->EndCoord.Y = (Ypos - Buff->VirtualY + Buff->MaxY) % Buff->MaxY;