Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-22 08:25:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string is less than MAXUSHORT.

Browse source
This commit is contained in:
Hermès Bélusca-Maïto 2018-12-21 00:33:56 +01:00
parent 5c77cd9050
commit b2bad34b9b
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ntoskrnl/inbv/inbv.c
View file

@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
NTSTATUS Status;
UNICODE_STRING CapturedString;
OEM_STRING OemString;
ULONG OemLength;
KPROCESSOR_MODE PreviousMode;
PAGED_CODE();
@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
* We cannot perform the allocation using RtlUnicodeStringToOemString()
* since its allocator uses PagedPool.
*/
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL,
RtlUnicodeStringToOemSize(&CapturedString));
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool,
OemString.MaximumLength,
TAG_OSTR);
OemLength = RtlUnicodeStringToOemSize(&CapturedString);
if (OemLength > MAXUSHORT)
{
Status = STATUS_BUFFER_OVERFLOW;
goto Quit;
}
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength);
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR);
if (OemString.Buffer == NULL)
{
Status = STATUS_NO_MEMORY;