fixed possible buffer overflows in LookupAccountSidW(): LSA_UNICODE_STRINGs are not necessarily NULL-terminated!

svn path=/trunk/; revision=20855
2025-08-05 21:42:57 +00:00 · 2006-01-14 16:31:28 +00:00 · 2006-01-14 16:31:28 +00:00 · a988d3cfe2
commit a988d3cfe2
parent 2edcb03c9d
1 changed files with 6 additions and 5 deletions
--- a/reactos/lib/advapi32/sec/misc.c
+++ b/reactos/lib/advapi32/sec/misc.c
@ -872,15 +872,14 @@ LookupAccountSidW (
 	PSID_NAME_USE peUse )
 {
 	LSA_UNICODE_STRING SystemName;
-	LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+        LSA_OBJECT_ATTRIBUTES ObjectAttributes = {0};
-	LSA_HANDLE PolicyHandle = INVALID_HANDLE_VALUE;
+	LSA_HANDLE PolicyHandle = NULL;
 	NTSTATUS Status;
 	PLSA_REFERENCED_DOMAIN_LIST ReferencedDomain = NULL;
 	PLSA_TRANSLATED_NAME TranslatedName = NULL;
 	BOOL ret;
 	RtlInitUnicodeString ( &SystemName, pSystemName );
 	ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
 	Status = LsaOpenPolicy ( &SystemName, &ObjectAttributes, POLICY_LOOKUP_NAMES, &PolicyHandle );
 	if ( !NT_SUCCESS(Status) )
 	{
@ -910,7 +909,8 @@ LookupAccountSidW (
 			else
 			{
 				*pdwAccountName = dwSrcLen;
-				wcscpy ( pAccountName, TranslatedName->Name.Buffer );
+				RtlCopyMemory ( pAccountName, TranslatedName->Name.Buffer, TranslatedName->Name.Length );
                                pAccountName[TranslatedName->Name.Length / sizeof(WCHAR)] = L'\0';
 			}
 			if ( peUse )
 				*peUse = TranslatedName->Use;
@ -929,7 +929,8 @@ LookupAccountSidW (
 				else
 				{
 					*pdwDomainName = dwSrcLen;
-					wcscpy ( pDomainName, ReferencedDomain->Domains[0].Name.Buffer );
+					RtlCopyMemory ( pDomainName, ReferencedDomain->Domains[0].Name.Buffer, ReferencedDomain->Domains[0].Name.Length );
                                        pDomainName[ReferencedDomain->Domains[0].Name.Length / sizeof(WCHAR)] = L'\0';
 				}
 			}
 		}