Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string is less than MAXUSHORT.

Browse source
This commit is contained in:
Hermès Bélusca-Maïto 2018-12-21 00:33:56 +01:00
parent 5c77cd9050
commit b2bad34b9b
No known key found for this signature in database
GPG key ID: 3B2539C65E7B93D0
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ntoskrnl/inbv/inbv.c
View file

@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
NTSTATUS Status; NTSTATUS Status;
UNICODE_STRING CapturedString; UNICODE_STRING CapturedString;
OEM_STRING OemString; OEM_STRING OemString;
ULONG OemLength;
KPROCESSOR_MODE PreviousMode; KPROCESSOR_MODE PreviousMode;
PAGED_CODE(); PAGED_CODE();
@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
* We cannot perform the allocation using RtlUnicodeStringToOemString() * We cannot perform the allocation using RtlUnicodeStringToOemString()
* since its allocator uses PagedPool. * since its allocator uses PagedPool.
*/ */
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, OemLength = RtlUnicodeStringToOemSize(&CapturedString);
RtlUnicodeStringToOemSize(&CapturedString)); if (OemLength > MAXUSHORT)
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, {
OemString.MaximumLength, Status = STATUS_BUFFER_OVERFLOW;
TAG_OSTR); goto Quit;
}
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength);
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR);
if (OemString.Buffer == NULL) if (OemString.Buffer == NULL)
{ {
Status = STATUS_NO_MEMORY; Status = STATUS_NO_MEMORY;