From dd187dbf32ca807eca8b0fea18acdede49c680ce Mon Sep 17 00:00:00 2001 From: Rafal Harabien Date: Thu, 8 Sep 2011 16:38:38 +0000 Subject: [PATCH] [WIN32K] - Fix possible buffer overrun - Use KEY_VALUE_PARTIAL_INFORMATION field instead of magic offset to data svn path=/trunk/; revision=53645 --- .../subsystems/win32/win32k/ntuser/kbdlayout.c | 13 +++++++------ reactos/subsystems/win32/win32k/ntuser/misc.c | 16 ++++++++-------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c b/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c index b25b41d32c6..d369d90f9ec 100644 --- a/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c +++ b/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c @@ -286,6 +286,9 @@ PKBL W32kGetDefaultKeyLayout(VOID) if( NT_SUCCESS(Status) ) { + FullKeyboardLayoutPath.Buffer = wszBuffer; + FullKeyboardLayoutPath.MaximumLength = sizeof(wszBuffer); + // FIXME: Is this 100% correct? // We're called very early, so HKEY_CURRENT_USER might not be available yet. Check this first. InitializeObjectAttributes(&KeyAttributes, &CurrentUserPath, OBJ_CASE_INSENSITIVE, NULL, NULL); @@ -294,18 +297,18 @@ PKBL W32kGetDefaultKeyLayout(VOID) if(Status == STATUS_OBJECT_NAME_NOT_FOUND) { // It is not available, so read it from HKEY_USERS\.DEFAULT + FullKeyboardLayoutPath.Length = sizeof(szDefaultUserPath) - sizeof(UNICODE_NULL); RtlCopyMemory(wszBuffer, szDefaultUserPath, sizeof(szDefaultUserPath)); } else { // The path is available ZwClose(KeyHandle); - RtlCopyMemory(wszBuffer, CurrentUserPath.Buffer, CurrentUserPath.MaximumLength); + RtlCopyUnicodeString(&FullKeyboardLayoutPath, &CurrentUserPath); } - // Build the full path - RtlInitUnicodeString(&FullKeyboardLayoutPath, wszBuffer); - FullKeyboardLayoutPath.MaximumLength = MAX_PATH; + // Free CurrentUserPath - we dont need it anymore + RtlFreeUnicodeString(&CurrentUserPath); Status = RtlAppendUnicodeToString(&FullKeyboardLayoutPath, szKeyboardLayoutPath); @@ -326,8 +329,6 @@ PKBL W32kGetDefaultKeyLayout(VOID) } else ERR("RtlAppendUnicodeToString failed! (%08lx)\n", Status); - - RtlFreeUnicodeString(&CurrentUserPath); } else ERR("RtlFormatCurrentUserKeyPath failed! (%08lx)\n", Status); diff --git a/reactos/subsystems/win32/win32k/ntuser/misc.c b/reactos/subsystems/win32/win32k/ntuser/misc.c index 0bb0b30d413..55405378d83 100644 --- a/reactos/subsystems/win32/win32k/ntuser/misc.c +++ b/reactos/subsystems/win32/win32k/ntuser/misc.c @@ -17,13 +17,13 @@ FASTCALL IntGdiGetLanguageID(VOID) { HANDLE KeyHandle; - ULONG Size = sizeof(WCHAR) * (MAX_PATH + 12); OBJECT_ATTRIBUTES ObAttr; // http://support.microsoft.com/kb/324097 ULONG Ret = 0x409; // English - PVOID KeyInfo; + PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo; + ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR); UNICODE_STRING Language; - + RtlInitUnicodeString( &Language, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language"); @@ -35,22 +35,22 @@ IntGdiGetLanguageID(VOID) if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr))) { - KeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING); - if ( KeyInfo ) + pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING); + if ( pKeyInfo ) { RtlInitUnicodeString(&Language, L"Default"); if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle, &Language, KeyValuePartialInformation, - KeyInfo, + pKeyInfo, Size, &Size)) ) { - RtlInitUnicodeString(&Language, (PVOID)((char *)KeyInfo + 12)); + RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data); RtlUnicodeStringToInteger(&Language, 16, &Ret); } - ExFreePoolWithTag(KeyInfo, TAG_STRING); + ExFreePoolWithTag(pKeyInfo, TAG_STRING); } ZwClose(KeyHandle); }