[NTUSER] Security: Follow-up of #4595 (#4598)

Improve security. CORE-11700
2024-06-30 18:01:07 +00:00 · 2022-08-08 21:23:49 +09:00 · 2022-08-08 21:23:49 +09:00 · d519b11a28
parent f7d068e2bd
commit d519b11a28
1 changed files with 16 additions and 7 deletions
--- a/win32ss/user/ntuser/kbdlayout.c
+++ b/win32ss/user/ntuser/kbdlayout.c
@ -654,7 +654,8 @@ NtUserGetKeyboardLayoutName(
    BOOL bRet = FALSE;
    PKL pKl;
    PTHREADINFO pti;
-    UNICODE_STRING ustrTemp;
+    UNICODE_STRING ustrNameSafe;
    NTSTATUS Status;
    UserEnterShared();
@ -667,25 +668,33 @@ NtUserGetKeyboardLayoutName(
    _SEH2_TRY
    {
        ProbeForWriteUnicodeString(pustrName);
-        ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1);
+        ustrNameSafe = *pustrName;
        ProbeForWrite(ustrNameSafe.Buffer, ustrNameSafe.MaximumLength, 1);
        if (IS_IME_HKL(pKl->hkl))
        {
-            RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, pustrName);
+            Status = RtlIntegerToUnicodeString((ULONG)(ULONG_PTR)pKl->hkl, 16, &ustrNameSafe);
        }
        else
        {
-            if (pustrName->MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
+            if (ustrNameSafe.MaximumLength < KL_NAMELENGTH * sizeof(WCHAR))
            {
                EngSetLastError(ERROR_INVALID_PARAMETER);
                goto cleanup;
            }
-            RtlInitUnicodeString(&ustrTemp, pKl->spkf->awchKF); /* FIXME: Do not use awchKF */
+
-            RtlCopyUnicodeString(pustrName, &ustrTemp);
+            /* FIXME: Do not use awchKF */
            ustrNameSafe.Length = 0;
            Status = RtlAppendUnicodeToString(&ustrNameSafe, pKl->spkf->awchKF);
        }
        if (NT_SUCCESS(Status))
        {
            *pustrName = ustrNameSafe;
            bRet = TRUE;
        }
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        SetLastNtError(_SEH2_GetExceptionCode());