From cf40421041eeea92a29520a9d04868cb804239ca Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Wed, 20 Feb 2019 12:21:03 +0100
Subject: [PATCH] [NTOS:PNP] Correctly respect data size in PnpRegSzToString.
 CORE-15766

Spotted by Vadim Galyant.
---
 ntoskrnl/io/pnpmgr/pnputil.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/ntoskrnl/io/pnpmgr/pnputil.c b/ntoskrnl/io/pnpmgr/pnputil.c
index 3ed75b2c071..8f173041871 100644
--- a/ntoskrnl/io/pnpmgr/pnputil.c
+++ b/ntoskrnl/io/pnpmgr/pnputil.c
@@ -175,11 +175,20 @@ PnpRegSzToString(IN PWCHAR RegSzData,
     PWCHAR p, pp;
 
     /* Find the end */
-    pp = RegSzData + RegSzLength;
-    for (p = RegSzData; p < pp; p++) if (!*p) break;
+    pp = RegSzData + RegSzLength / sizeof(WCHAR);
+    for (p = RegSzData; p < pp; p++)
+    {
+        if (!*p)
+        {
+            break;
+        }
+    }
 
-    /* Return it */
-    if (StringLength) *StringLength = (USHORT)(p - RegSzData) * sizeof(WCHAR);
+    /* Return the length. Truncation can happen but is of no consequence. */
+    if (StringLength)
+    {
+        *StringLength = (USHORT)(p - RegSzData) * sizeof(WCHAR);
+    }
     return TRUE;
 }