From 808fec3b7696f7a6538600f7a3592af9ff20eca6 Mon Sep 17 00:00:00 2001
From: Thomas Bluemel <thomas@reactsoft.com>
Date: Thu, 20 Jan 2005 21:03:35 +0000
Subject: [PATCH] don't touch memory outside the area to be probed in
 ProbeForWrite() and minor address range check fixes in ProbeForRead/Write()

svn path=/trunk/; revision=13167
---
 reactos/ntoskrnl/mm/virtual.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/reactos/ntoskrnl/mm/virtual.c b/reactos/ntoskrnl/mm/virtual.c
index 6321380c4b9..e98781ed24d 100644
--- a/reactos/ntoskrnl/mm/virtual.c
+++ b/reactos/ntoskrnl/mm/virtual.c
@@ -795,7 +795,7 @@ ProbeForRead (IN CONST VOID *Address,
               IN ULONG Length,
               IN ULONG Alignment)
 {
-   ASSERT(Alignment ==1 || Alignment == 2 || Alignment == 4 || Alignment == 8);
+   ASSERT(Alignment == 1 || Alignment == 2 || Alignment == 4 || Alignment == 8);
 
    if (Length == 0)
       return;
@@ -804,8 +804,8 @@ ProbeForRead (IN CONST VOID *Address,
    {
       ExRaiseStatus (STATUS_DATATYPE_MISALIGNMENT);
    }
-   else if ((ULONG_PTR)Address + Length < (ULONG_PTR)Address ||
-            (ULONG_PTR)Address + Length > (ULONG_PTR)MmUserProbeAddress)
+   else if ((ULONG_PTR)Address + Length - 1 < (ULONG_PTR)Address ||
+            (ULONG_PTR)Address + Length - 1 > (ULONG_PTR)MmUserProbeAddress)
    {
       ExRaiseStatus (STATUS_ACCESS_VIOLATION);
    }
@@ -820,10 +820,10 @@ ProbeForWrite (IN CONST VOID *Address,
                IN ULONG Length,
                IN ULONG Alignment)
 {
-   volatile PCHAR Ptr;
-   ULONG i;
+   volatile CHAR *Current;
+   PCHAR Last;
 
-   ASSERT(Alignment ==1 || Alignment == 2 || Alignment == 4 || Alignment == 8);
+   ASSERT(Alignment == 1 || Alignment == 2 || Alignment == 4 || Alignment == 8);
 
    if (Length == 0)
       return;
@@ -832,18 +832,21 @@ ProbeForWrite (IN CONST VOID *Address,
    {
       ExRaiseStatus (STATUS_DATATYPE_MISALIGNMENT);
    }
-   else if ((ULONG_PTR)Address + Length < (ULONG_PTR)Address ||
-            (ULONG_PTR)Address + Length > (ULONG_PTR)MmUserProbeAddress)
+
+   Last = (PCHAR)((ULONG_PTR)Address + Length - 1);
+   if ((ULONG_PTR)Last < (ULONG_PTR)Address ||
+       (ULONG_PTR)Last > (ULONG_PTR)MmUserProbeAddress)
    {
       ExRaiseStatus (STATUS_ACCESS_VIOLATION);
    }
 
    /* Check for accessible pages */
-   for (i = 0; i < Length; i += PAGE_SIZE)
+   Current = (CHAR*)Address;
+   do
    {
-      Ptr = (PCHAR)(((ULONG_PTR)Address & ~(PAGE_SIZE - 1)) + i);
-      *Ptr = *Ptr;
-   }
+     *Current = *Current;
+     Current = (CHAR*)((ULONG_PTR)Current + PAGE_SIZE);
+   } while (Current <= Last);
 }
 
 /* EOF */