[NTUSER] Security: Follow-up of #4595 (#4598)

Improve security. CORE-11700
2024-06-25 15:31:47 +00:00 · 2022-08-08 21:23:49 +09:00 · 2022-08-08 21:23:49 +09:00 · d519b11a28
parent f7d068e2bd
commit d519b11a28
1 changed files with 16 additions and 7 deletions
--- a/win32ss/user/ntuser/kbdlayout.c
+++ b/win32ss/user/ntuser/kbdlayout.c
@ -654,7 +654,8 @@ NtUserGetKeyboardLayoutName(
    BOOL bRet = FALSE;
    PKL pKl;
    PTHREADINFO pti;
-    UNICODE_STRING ustrTemp;
+    UNICODE_STRING ustrNameSafe;
+    NTSTATUS Status;

    UserEnterShared();

@ -667,24 +668,32 @@ NtUserGetKeyboardLayoutName(
    _SEH2_TRY
    {
        ProbeForWriteUnicodeString(pustrName);
-        ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1);
+        ustrNameSafe = *pustrName;
+
+        ProbeForWrite(ustrNameSafe.Buffer, ustrNameSafe.MaximumLength, 1);

        if (IS_IME_HKL(pKl->hkl))
        {
-            RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, pustrName);
+            Status = RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, &ustrNameSafe);
        }
        else
        {
-            if (pustrName->MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
+            if (ustrNameSafe.MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
            {
                EngSetLastError(ERROR_INVALID_PARAMETER);
                goto cleanup;
            }
-            RtlInitUnicodeString(&ustrTemp, pKl->spkf->awchKF); /* FIXME: Do not use awchKF */
-            RtlCopyUnicodeString(pustrName, &ustrTemp);
+
+            /* FIXME: Do not use awchKF */
+            ustrNameSafe.Length = 0;
+            Status = RtlAppendUnicodeToString(&ustrNameSafe, pKl->spkf->awchKF);
        }

-        bRet = TRUE;
+        if (NT_SUCCESS(Status))
+        {
+            *pustrName = ustrNameSafe;
+            bRet = TRUE;
+        }
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {