Fixed a buffer overflow in DoQuery, if the unicode string (search pattern) isn't zero-terminated.

Fixed the returned length for the file names. Fixed the returned status at the end of a directory scan. svn path=/trunk/; revision=2589
2024-12-27 17:44:45 +00:00 · 2002-02-02 14:04:55 +00:00 · 2002-02-02 14:04:55 +00:00 · c64bcfabad
commit c64bcfabad
parent a5549b5653
2 changed files with 38 additions and 35 deletions
--- a/reactos/drivers/fs/vfat/dir.c
+++ b/reactos/drivers/fs/vfat/dir.c
@ -1,5 +1,5 @@
 /*
- * $Id: dir.c,v 1.21 2001/11/02 22:44:34 hbirr Exp $
+ * $Id: dir.c,v 1.22 2002/02/02 14:04:55 hbirr Exp $
 *
 * COPYRIGHT:        See COPYING in the top level directory
 * PROJECT:          ReactOS kernel
@ -100,14 +100,13 @@ VfatGetFileNameInformation (PVFATFCB pFcb,
 			   PFILE_NAMES_INFORMATION pInfo, ULONG BufferLength)
 {
  ULONG Length;
-  Length = vfat_wstrlen (pFcb->ObjectName);
-  if ((sizeof (FILE_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR)) > BufferLength)
+  Length = vfat_wstrlen (pFcb->ObjectName) * sizeof(WCHAR);
+  if ((sizeof (FILE_DIRECTORY_INFORMATION) + Length) > BufferLength)
    return STATUS_BUFFER_OVERFLOW;
  pInfo->FileNameLength = Length;
  pInfo->NextEntryOffset =
-    DWORD_ROUND_UP (sizeof (FILE_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR));
-  memcpy (pInfo->FileName, pFcb->ObjectName,
-	  sizeof (WCHAR) * (pInfo->FileNameLength));
+    DWORD_ROUND_UP (sizeof (FILE_DIRECTORY_INFORMATION) + Length);
+  memcpy (pInfo->FileName, pFcb->ObjectName, Length);
  return STATUS_SUCCESS;
 }

@ -119,14 +118,13 @@ VfatGetFileDirectoryInformation (PVFATFCB pFcb,
 {
  unsigned long long AllocSize;
  ULONG Length;
-  Length = vfat_wstrlen (pFcb->ObjectName);
-  if ((sizeof (FILE_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR)) > BufferLength)
+  Length = vfat_wstrlen (pFcb->ObjectName) * sizeof(WCHAR);
+  if ((sizeof (FILE_DIRECTORY_INFORMATION) + Length) > BufferLength)
    return STATUS_BUFFER_OVERFLOW;
  pInfo->FileNameLength = Length;
  pInfo->NextEntryOffset =
-    DWORD_ROUND_UP (sizeof (FILE_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR));
-  memcpy (pInfo->FileName, pFcb->ObjectName,
-	  sizeof (WCHAR) * (pInfo->FileNameLength));
+    DWORD_ROUND_UP (sizeof (FILE_DIRECTORY_INFORMATION) + Length);
+  memcpy (pInfo->FileName, pFcb->ObjectName, Length);
 //      pInfo->FileIndex=;
  FsdDosDateTimeToFileTime (pFcb->entry.CreationDate,
 			    pFcb->entry.CreationTime, &pInfo->CreationTime);
@ -154,14 +152,13 @@ VfatGetFileFullDirectoryInformation (PVFATFCB pFcb,
 {
  unsigned long long AllocSize;
  ULONG Length;
-  Length = vfat_wstrlen (pFcb->ObjectName);
-  if ((sizeof (FILE_FULL_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR)) > BufferLength)
+  Length = vfat_wstrlen (pFcb->ObjectName) * sizeof(WCHAR);
+  if ((sizeof (FILE_FULL_DIRECTORY_INFORMATION) + Length) > BufferLength)
    return STATUS_BUFFER_OVERFLOW;
  pInfo->FileNameLength = Length;
  pInfo->NextEntryOffset =
-    DWORD_ROUND_UP (sizeof (FILE_FULL_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR));
-  memcpy (pInfo->FileName, pFcb->ObjectName,
-	  sizeof (WCHAR) * (pInfo->FileNameLength));
+    DWORD_ROUND_UP (sizeof (FILE_FULL_DIRECTORY_INFORMATION) + Length);
+  memcpy (pInfo->FileName, pFcb->ObjectName, Length);
 //      pInfo->FileIndex=;
  FsdDosDateTimeToFileTime (pFcb->entry.CreationDate,
 			    pFcb->entry.CreationTime, &pInfo->CreationTime);
@ -190,14 +187,13 @@ VfatGetFileBothInformation (PVFATFCB pFcb,
  short i;
  unsigned long long AllocSize;
  ULONG Length;
-  Length = vfat_wstrlen (pFcb->ObjectName);
-  if ((sizeof (FILE_BOTH_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR)) > BufferLength)
+  Length = vfat_wstrlen (pFcb->ObjectName) * sizeof(WCHAR);
+  if ((sizeof (FILE_BOTH_DIRECTORY_INFORMATION) + Length) > BufferLength)
    return STATUS_BUFFER_OVERFLOW;
  pInfo->FileNameLength = Length;
  pInfo->NextEntryOffset =
-    DWORD_ROUND_UP (sizeof (FILE_BOTH_DIRECTORY_INFORMATION) + Length * sizeof(WCHAR));
-  memcpy (pInfo->FileName, pFcb->ObjectName,
-	  sizeof (WCHAR) * (pInfo->FileNameLength));
+    DWORD_ROUND_UP (sizeof (FILE_BOTH_DIRECTORY_INFORMATION) + Length);
+  memcpy (pInfo->FileName, pFcb->ObjectName, Length);
 //      pInfo->FileIndex=;
  FsdDosDateTimeToFileTime (pFcb->entry.CreationDate,
 			    pFcb->entry.CreationTime, &pInfo->CreationTime);
@ -222,6 +218,7 @@ VfatGetFileBothInformation (PVFATFCB pFcb,
    pInfo->ShortName[i + 1 + pInfo->ShortNameLength] = pFcb->entry.Ext[i];
  if (i)
    pInfo->ShortNameLength += (i + 1);
+  pInfo->ShortNameLength *= sizeof(WCHAR);
  return STATUS_SUCCESS;
 }

@ -237,7 +234,7 @@ NTSTATUS DoQuery (PVFAT_IRP_CONTEXT IrpContext)
  PVFATFCB pFcb;
  VFATFCB tmpFcb;
  PVFATCCB pCcb;
-  WCHAR star[5], *pCharPattern;
+  WCHAR pCharPattern[MAX_PATH];
  unsigned long OldEntry, OldSector;

  pCcb = (PVFATCCB) IrpContext->FileObject->FsContext2;
@ -266,12 +263,14 @@ NTSTATUS DoQuery (PVFAT_IRP_CONTEXT IrpContext)
  DPRINT ("Buffer=%x tofind=%S\n", Buffer, pSearchPattern->Buffer);
  if (pSearchPattern == NULL)
    {
-      star[0] = '*';
-      star[1] = 0;
-      pCharPattern = star;
+      pCharPattern[0] = L'*';
+      pCharPattern[1] = 0;
    }
  else
-    pCharPattern = pSearchPattern->Buffer;
+    {
+      memcpy (pCharPattern, pSearchPattern->Buffer, pSearchPattern->Length);
+      pCharPattern[pSearchPattern->Length / sizeof(WCHAR)] = 0;
+    }
  tmpFcb.ObjectName = tmpFcb.PathName;
  while (RC == STATUS_SUCCESS && BufferLength > 0)
    {
@ -320,6 +319,10 @@ NTSTATUS DoQuery (PVFAT_IRP_CONTEXT IrpContext)
 	{
 	  if (Buffer0)
 	    Buffer0->NextEntryOffset = 0;
+          if (OldSector)
+            RC = STATUS_NO_MORE_FILES;
+          else
+            RC = STATUS_NO_SUCH_FILE;
 	  break;
 	}
      if (RC == STATUS_BUFFER_OVERFLOW)
--- a/reactos/lib/kernel32/file/find.c
+++ b/reactos/lib/kernel32/file/find.c
@ -1,4 +1,4 @@
-/* $Id: find.c,v 1.29 2001/08/06 18:37:23 hbirr Exp $
+/* $Id: find.c,v 1.30 2002/02/02 14:04:54 hbirr Exp $
 *
 * COPYRIGHT:       See COPYING in the top level directory
 * PROJECT:         ReactOS system libraries
@ -215,7 +215,7 @@ FindFirstFileA (
 	lpFindFileData->nFileSizeHigh = IData->FileInfo.EndOfFile.u.HighPart;
 	lpFindFileData->nFileSizeLow = IData->FileInfo.EndOfFile.u.LowPart;

-	FileNameU.Length = IData->FileInfo.FileNameLength * sizeof(WCHAR);
+	FileNameU.Length = IData->FileInfo.FileNameLength;
 	FileNameU.MaximumLength = FileNameU.Length + sizeof(WCHAR);
 	FileNameU.Buffer = IData->FileInfo.FileName;

@ -236,7 +236,7 @@ FindFirstFileA (
 	DPRINT("IData->FileInfo.ShortNameLength %d\n",
 	       IData->FileInfo.ShortNameLength);

-	FileNameU.Length = IData->FileInfo.ShortNameLength * sizeof(WCHAR);
+	FileNameU.Length = IData->FileInfo.ShortNameLength;
 	FileNameU.MaximumLength = FileNameU.Length + sizeof(WCHAR);
 	FileNameU.Buffer = IData->FileInfo.ShortName;

@ -297,7 +297,7 @@ FindNextFileA (
 	lpFindFileData->nFileSizeHigh = IData->FileInfo.EndOfFile.u.HighPart;
 	lpFindFileData->nFileSizeLow = IData->FileInfo.EndOfFile.u.LowPart;

-	FileNameU.Length = IData->FileInfo.FileNameLength * sizeof(WCHAR);
+	FileNameU.Length = IData->FileInfo.FileNameLength;
 	FileNameU.MaximumLength = FileNameU.Length + sizeof(WCHAR);
 	FileNameU.Buffer = IData->FileInfo.FileName;

@ -318,7 +318,7 @@ FindNextFileA (
 	DPRINT("IData->FileInfo.ShortNameLength %d\n",
 	       IData->FileInfo.ShortNameLength);

-	FileNameU.Length = IData->FileInfo.ShortNameLength * sizeof(WCHAR);
+	FileNameU.Length = IData->FileInfo.ShortNameLength;
 	FileNameU.MaximumLength = FileNameU.Length + sizeof(WCHAR);
 	FileNameU.Buffer = IData->FileInfo.ShortName;

@ -398,11 +398,11 @@ FindFirstFileW (
 	lpFindFileData->nFileSizeLow = IData->FileInfo.EndOfFile.u.LowPart;
 	memcpy (lpFindFileData->cFileName,
 	        IData->FileInfo.FileName,
-	        IData->FileInfo.FileNameLength * sizeof(WCHAR));
+	        IData->FileInfo.FileNameLength);
  lpFindFileData->cFileName[IData->FileInfo.FileNameLength] = 0;
 	memcpy (lpFindFileData->cAlternateFileName,
 	        IData->FileInfo.ShortName,
-	        IData->FileInfo.ShortNameLength * sizeof(WCHAR));
+	        IData->FileInfo.ShortNameLength);
  lpFindFileData->cAlternateFileName[IData->FileInfo.ShortNameLength] = 0;
 	return IData;
 }
@ -439,11 +439,11 @@ FindNextFileW (
 	lpFindFileData->nFileSizeLow = IData->FileInfo.EndOfFile.u.LowPart;
 	memcpy (lpFindFileData->cFileName,
 	        IData->FileInfo.FileName,
-	        IData->FileInfo.FileNameLength * sizeof(WCHAR));
+	        IData->FileInfo.FileNameLength);
  lpFindFileData->cFileName[IData->FileInfo.FileNameLength] = 0;
 	memcpy (lpFindFileData->cAlternateFileName,
 	        IData->FileInfo.ShortName,
-	        IData->FileInfo.ShortNameLength * sizeof(WCHAR));
+	        IData->FileInfo.ShortNameLength);
  lpFindFileData->cAlternateFileName[IData->FileInfo.ShortNameLength] = 0;
 	return TRUE;
 }