[WIN32K]

- Fix possible buffer overrun - Use KEY_VALUE_PARTIAL_INFORMATION field instead of magic offset to data svn path=/trunk/; revision=53645
2025-02-25 01:39:30 +00:00 · 2011-09-08 16:38:38 +00:00 · 2011-09-08 16:38:38 +00:00 · dd187dbf32
commit dd187dbf32
parent 6a2bccb41c
2 changed files with 15 additions and 14 deletions
--- a/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c
+++ b/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c
@ -286,6 +286,9 @@ PKBL W32kGetDefaultKeyLayout(VOID)

   if( NT_SUCCESS(Status) )
   {
+      FullKeyboardLayoutPath.Buffer = wszBuffer;
+      FullKeyboardLayoutPath.MaximumLength = sizeof(wszBuffer);
+
      // FIXME: Is this 100% correct?
      // We're called very early, so HKEY_CURRENT_USER might not be available yet. Check this first.
      InitializeObjectAttributes(&KeyAttributes, &CurrentUserPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
@ -294,18 +297,18 @@ PKBL W32kGetDefaultKeyLayout(VOID)
      if(Status == STATUS_OBJECT_NAME_NOT_FOUND)
      {
         // It is not available, so read it from HKEY_USERS\.DEFAULT
+         FullKeyboardLayoutPath.Length = sizeof(szDefaultUserPath) - sizeof(UNICODE_NULL);
         RtlCopyMemory(wszBuffer, szDefaultUserPath, sizeof(szDefaultUserPath));
      }
      else
      {
         // The path is available
         ZwClose(KeyHandle);
-         RtlCopyMemory(wszBuffer, CurrentUserPath.Buffer, CurrentUserPath.MaximumLength);
+         RtlCopyUnicodeString(&FullKeyboardLayoutPath, &CurrentUserPath);
      }

-      // Build the full path
-      RtlInitUnicodeString(&FullKeyboardLayoutPath, wszBuffer);
-      FullKeyboardLayoutPath.MaximumLength = MAX_PATH;
+      // Free CurrentUserPath - we dont need it anymore
+      RtlFreeUnicodeString(&CurrentUserPath);

      Status = RtlAppendUnicodeToString(&FullKeyboardLayoutPath, szKeyboardLayoutPath);

@ -326,8 +329,6 @@ PKBL W32kGetDefaultKeyLayout(VOID)
      }
      else
         ERR("RtlAppendUnicodeToString failed! (%08lx)\n", Status);
-
-      RtlFreeUnicodeString(&CurrentUserPath);
   }
   else
      ERR("RtlFormatCurrentUserKeyPath failed! (%08lx)\n", Status);
--- a/reactos/subsystems/win32/win32k/ntuser/misc.c
+++ b/reactos/subsystems/win32/win32k/ntuser/misc.c
@ -17,13 +17,13 @@ FASTCALL
 IntGdiGetLanguageID(VOID)
 {
  HANDLE KeyHandle;
-  ULONG Size = sizeof(WCHAR) * (MAX_PATH + 12);
  OBJECT_ATTRIBUTES ObAttr;
 //  http://support.microsoft.com/kb/324097
  ULONG Ret = 0x409; // English
-  PVOID KeyInfo;
+  PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
+  ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR);
  UNICODE_STRING Language;
-  
+
  RtlInitUnicodeString( &Language,
    L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language");

@ -35,22 +35,22 @@ IntGdiGetLanguageID(VOID)

  if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr)))
  {
-     KeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
-     if ( KeyInfo )
+     pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
+     if ( pKeyInfo )
     {
        RtlInitUnicodeString(&Language, L"Default");

        if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle,
                                         &Language,
                        KeyValuePartialInformation,
-                                           KeyInfo,
+                                          pKeyInfo,
                                              Size,
                                             &Size)) )
      {
-        RtlInitUnicodeString(&Language, (PVOID)((char *)KeyInfo + 12));
+        RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data);
        RtlUnicodeStringToInteger(&Language, 16, &Ret);
      }
-      ExFreePoolWithTag(KeyInfo, TAG_STRING);
+      ExFreePoolWithTag(pKeyInfo, TAG_STRING);
    }
    ZwClose(KeyHandle);
  }