Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-05 23:12:56 +00:00
Code Issues Projects Releases Packages Wiki Activity

[KERNEL32]

Browse source 
Fix heap buffer overflow in case PendingFileRenameOperations already exists.
Spotted by Thomas

svn path=/trunk/; revision=66356
This commit is contained in:
Pierre Schweitzer 2015-02-19 19:05:56 +00:00
parent 5fa459dac2
commit becaec4f27
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
reactos/dll/win32/kernel32/client/file/move.c
View file

@ -92,7 +92,7 @@ BasepMoveFileDelayed(IN PUNICODE_STRING ExistingPath,
} }
/* Reserve enough to read previous string + to append our with required null chars */ /* Reserve enough to read previous string + to append our with required null chars */
BufferLength = NewPath->Length + ExistingPath->Length + STRING_LENGTH + 3 * sizeof(WCHAR); BufferLength = NewPath->Length + ExistingPath->Length + STRING_LENGTH + 3 * sizeof(UNICODE_NULL);
/* Check we didn't overflow */ /* Check we didn't overflow */
if (BufferLength < STRING_LENGTH) if (BufferLength < STRING_LENGTH)
{ {
@ -122,7 +122,7 @@ BasepMoveFileDelayed(IN PUNICODE_STRING ExistingPath,
/* If buffer was too small, then, reallocate one which is big enough */ /* If buffer was too small, then, reallocate one which is big enough */
StringLength = DataSize; StringLength = DataSize;
RtlFreeHeap(RtlGetProcessHeap(), 0, Buffer); RtlFreeHeap(RtlGetProcessHeap(), 0, Buffer);
BufferLength = ExistingPath->Length + StringLength + NewPath->Length + 3 * sizeof(WCHAR); BufferLength = ExistingPath->Length + StringLength + NewPath->Length + 3 * sizeof(UNICODE_NULL);
if (BufferLength < StringLength) if (BufferLength < StringLength)
{ {
NtClose(KeyHandle); NtClose(KeyHandle);
@ -148,9 +148,11 @@ BasepMoveFileDelayed(IN PUNICODE_STRING ExistingPath,
{ {
PKEY_VALUE_PARTIAL_INFORMATION PartialInfo = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer; PKEY_VALUE_PARTIAL_INFORMATION PartialInfo = (PKEY_VALUE_PARTIAL_INFORMATION)Buffer;
/* Get data, our buffer begin and then where we should append data (+ null char) */ /* Get data, our buffer begin and then where we should append data
* (- null char, this is REG_MULTI_SZ, it already includes double termination, we keep only one)
*/
BufferBegin = PartialInfo->Data; BufferBegin = PartialInfo->Data;
BufferWrite = (PWSTR)((ULONG_PTR)PartialInfo->Data + PartialInfo->DataLength + sizeof(WCHAR)); BufferWrite = (PWSTR)((ULONG_PTR)PartialInfo->Data + PartialInfo->DataLength - sizeof(UNICODE_NULL));
} }
/* First copy existing */ /* First copy existing */