From c707066acb9a6e7443e189e39e4827607fe2be03 Mon Sep 17 00:00:00 2001 From: Timo Kreuzer Date: Wed, 25 Jan 2012 16:45:42 +0000 Subject: [PATCH] [FREELDR] Fix wrong buffer size calculation that could lead to memory corruption Kudos go to Jardar for debugging the issue. svn path=/trunk/; revision=55173 --- reactos/boot/freeldr/freeldr/arch/i386/hardware.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/reactos/boot/freeldr/freeldr/arch/i386/hardware.c b/reactos/boot/freeldr/freeldr/arch/i386/hardware.c index 25a77b31a35..58298cf3597 100644 --- a/reactos/boot/freeldr/freeldr/arch/i386/hardware.c +++ b/reactos/boot/freeldr/freeldr/arch/i386/hardware.c @@ -250,7 +250,8 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) TRACE("Estimated buffer size %u\n", NodeSize * NodeCount); /* Set 'Configuration Data' value */ - Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + (NodeSize * NodeCount); + Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + + sizeof(CM_PNP_BIOS_INSTALLATION_CHECK) + (NodeSize * NodeCount); PartialResourceList = MmHeapAlloc(Size); if (PartialResourceList == NULL) { @@ -268,8 +269,8 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) PartialResourceList->PartialDescriptors[0].ShareDisposition = CmResourceShareUndetermined; - Ptr = (char *)(((ULONG_PTR)&PartialResourceList->PartialDescriptors[0]) + - sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR)); + /* The buffer starts after PartialResourceList->PartialDescriptors[0] */ + Ptr = (char *)(PartialResourceList + 1); /* Set instalation check data */ memcpy (Ptr, InstData, sizeof(CM_PNP_BIOS_INSTALLATION_CHECK)); @@ -292,6 +293,12 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) DeviceNode->Size, DeviceNode->Size); + if (PnpBufferSize + DeviceNode->Size > Size) + { + ERR("Buffer too small!\n"); + break; + } + memcpy (Ptr, DeviceNode, DeviceNode->Size);