From d8042fe33035aa627af45866789e4119b15f248c Mon Sep 17 00:00:00 2001
From: Hartmut Birr <osexpert@googlemail.com>
Date: Sat, 1 Nov 2003 12:59:38 +0000
Subject: [PATCH] - Check if a requested fixed address range is valid for the
 address space. - This fixes bug #34.

svn path=/trunk/; revision=6489
---
 reactos/ntoskrnl/mm/marea.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/reactos/ntoskrnl/mm/marea.c b/reactos/ntoskrnl/mm/marea.c
index 09512672037..35712658ce7 100644
--- a/reactos/ntoskrnl/mm/marea.c
+++ b/reactos/ntoskrnl/mm/marea.c
@@ -519,6 +519,18 @@ NTSTATUS MmCreateMemoryArea(PEPROCESS Process,
      {
 	tmpLength = (ULONG)*BaseAddress + Length - PAGE_ROUND_DOWN((*BaseAddress));
 	(*BaseAddress) = (PVOID)PAGE_ROUND_DOWN((*BaseAddress));
+
+	if (AddressSpace->LowestAddress == KERNEL_BASE &&
+	    (*BaseAddress) < (PVOID)KERNEL_BASE)
+	  {
+	    return STATUS_ACCESS_VIOLATION;
+	  }
+
+        if (AddressSpace->LowestAddress < KERNEL_BASE && 
+	    (*BaseAddress) + tmpLength > (PVOID)KERNEL_BASE)
+	  {
+	    return STATUS_ACCESS_VIOLATION;
+	  }
 	if (MmOpenMemoryAreaByRegion(AddressSpace,
 				     *BaseAddress,
 				     tmpLength)!=NULL)