[NTOS:MM] Properly fail for invalid sizes of data section mappings

ntoskrnl/mm/ARM3/section.c

@@ -1326,25 +1326,26 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
     /* Check if the caller specified the view size */
     if (!(*ViewSize))
     {
+        LONGLONG ViewSizeLL;
+
         /* The caller did not, so pick a 64K aligned view size based on the offset */
         SectionOffset->LowPart &= ~(_64K - 1);
 
-        /* Make sure that we will not overflow */
+        /* Calculate size and make sure this fits */
-        if ((Section->SizeOfSection.QuadPart - SectionOffset->QuadPart) > MAXLONG_PTR)
+        if (!NT_SUCCESS(RtlLongLongSub(Section->SizeOfSection.QuadPart, SectionOffset->QuadPart, &ViewSizeLL))
+            || !NT_SUCCESS(RtlLongLongToSIZET(ViewSizeLL, ViewSize))
+            || (*ViewSize > MAXLONG_PTR))
         {
             MiDereferenceControlArea(ControlArea);
             return STATUS_INVALID_VIEW_SIZE;
         }
-
-        *ViewSize = (SIZE_T)(Section->SizeOfSection.QuadPart - SectionOffset->QuadPart);
     }
     else
     {
-        /* A size was specified, align it to a 64K boundary */
+        /* A size was specified, align it to a 64K boundary
-        *ViewSize += SectionOffset->LowPart & (_64K - 1);
+         * and check for overflow or huge value. */
-
+        if (!NT_SUCCESS(RtlSIZETAdd(*ViewSize, SectionOffset->LowPart & (_64K - 1), ViewSize))
-        /* Check for overflow or huge value */
+            || (*ViewSize > MAXLONG_PTR))
-        if ((*ViewSize < (SectionOffset->LowPart & (_64K - 1))) || ((*ViewSize) > MAXLONG_PTR))
         {
             MiDereferenceControlArea(ControlArea);
             return STATUS_INVALID_VIEW_SIZE;