From afa27c26906f66850d5bfd3709165331adffa805 Mon Sep 17 00:00:00 2001
From: Hartmut Birr <osexpert@googlemail.com>
Date: Mon, 4 Aug 2003 08:32:48 +0000
Subject: [PATCH] - Fixed a buffer overflow, if a atapi device returns more
 bytes as requested.

svn path=/trunk/; revision=5405
---
 reactos/drivers/storage/atapi/atapi.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/reactos/drivers/storage/atapi/atapi.c b/reactos/drivers/storage/atapi/atapi.c
index 49da543a5a7..ebdf85b54e1 100644
--- a/reactos/drivers/storage/atapi/atapi.c
+++ b/reactos/drivers/storage/atapi/atapi.c
@@ -16,7 +16,7 @@
  *  along with this program; if not, write to the Free Software
  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
-/* $Id: atapi.c,v 1.42 2003/07/12 19:18:31 ekohl Exp $
+/* $Id: atapi.c,v 1.43 2003/08/04 08:32:48 hbirr Exp $
  *
  * COPYRIGHT:   See COPYING in the top level directory
  * PROJECT:     ReactOS ATAPI miniport driver
@@ -909,6 +909,7 @@ AtapiInterrupt(IN PVOID DeviceExtension)
   ULONG Retries;
   PUCHAR TargetAddress;
   ULONG TransferSize;
+  ULONG tmpTransferSize;
 
   DPRINT("AtapiInterrupt() called!\n");
 
@@ -979,10 +980,11 @@ AtapiInterrupt(IN PVOID DeviceExtension)
 
 	  if (DevExt->DataTransferLength <= TransferSize)
 	    {
-	      if (!IsAtapi)
-	      {
-	         TransferSize = DevExt->DataTransferLength;
-	      }
+	      if (IsAtapi)
+	        {
+		  tmpTransferSize = TransferSize - DevExt->DataTransferLength;
+		}
+              TransferSize = DevExt->DataTransferLength;
 	      DevExt->DataTransferLength = 0;
 	      IsLastBlock = TRUE;
 	    }
@@ -1019,6 +1021,17 @@ AtapiInterrupt(IN PVOID DeviceExtension)
 	  /* check DRQ */
 	  if (IsLastBlock)
 	    {
+	      if (IsAtapi) 
+	        {
+		  USHORT u;
+		  while (tmpTransferSize > 0)
+		    {
+                      IDEReadBlock(CommandPortBase,
+			           &u,
+				   2);
+		      tmpTransferSize -= 2;
+		    }
+		}
 	      for (Retries = 0; Retries < IDE_MAX_BUSY_RETRIES &&
 		   (IDEReadStatus(CommandPortBase) & IDE_SR_BUSY);
 		   Retries++)