Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-05-21 12:52:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIN32K:NTUSER] Zero allocated memory in IntCbAllocateMemory.

Browse source 
This avoids disclosing pool contents to user mode when not all members
of the respective structure are initialized or when there is padding.

In co_IntCallWindowProc, also zero the stack buffer since this can
be passed to user mode as well, and contains padding.
This commit is contained in:
Nguyen Trung Khanh 2020-06-20 10:16:56 +07:00 committed by Thomas Faber
parent 67592f9750
commit a279b1d2c6
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
2 changed files with 2 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
win32ss/user/ntuser/callback.c
View file

@ -35,6 +35,7 @@ IntCbAllocateMemory(ULONG Size)
return NULL;
}
RtlZeroMemory(Mem, Size + sizeof(INT_CALLBACK_HEADER));
W32Thread = PsGetCurrentThreadWin32Thread();
ASSERT(W32Thread);
@ -185,10 +186,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
pLibNameBuffer -= (ULONG_PTR)pArguments;
pArguments->strLibraryName.Buffer = (PWCHAR)(pLibNameBuffer);
}
else
{
RtlZeroMemory(&pArguments->strLibraryName, sizeof(UNICODE_STRING));
}
if(pstrInitFunc)
{
@ -202,10 +199,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
pInitFuncBuffer -= (ULONG_PTR)pArguments;
pArguments->strInitFuncName.Buffer = (PWCHAR)(pInitFuncBuffer);
}
else
{
RtlZeroMemory(&pArguments->strInitFuncName, sizeof(UNICODE_STRING));
}
/* Do the callback */
UserLeaveCo();
@ -294,7 +287,7 @@ co_IntCallWindowProc(WNDPROC Proc,
LPARAM lParam,
INT lParamBufferSize)
{
WINDOWPROC_CALLBACK_ARGUMENTS StackArguments;
WINDOWPROC_CALLBACK_ARGUMENTS StackArguments = { 0 };
PWINDOWPROC_CALLBACK_ARGUMENTS Arguments;
NTSTATUS Status;
PVOID ResultPointer, pActCtx;
@ -662,7 +655,6 @@ co_IntCallHookProc(INT HookId,
Common->offPfn = offPfn;
Common->Ansi = Ansi;
Common->lParamSize = lParamSize;
RtlZeroMemory(&Common->ModuleName, sizeof(Common->ModuleName));
if (ModuleName->Buffer && ModuleName->Length)
{
RtlCopyMemory(&Common->ModuleName, ModuleName->Buffer, ModuleName->Length);
@ -929,9 +921,6 @@ co_IntCallLoadMenu( HINSTANCE hModule,
}
Common = (PLOADMENU_CALLBACK_ARGUMENTS) Argument;
// Help Intersource check and MenuName is now 4 bytes + so zero it.
RtlZeroMemory(Common, ArgumentLength);
Common->hModule = hModule;
if (pMenuName->Length)
RtlCopyMemory(&Common->MenuName, pMenuName->Buffer, pMenuName->Length);

1
win32ss/user/rtl/text.c
View file

@ -997,7 +997,6 @@ BOOL UserExtTextOutW(HDC hdc,
}
else
{
RtlZeroMemory(&Argument->rect, sizeof(RECT));
Argument->bRect = FALSE;
}