Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-03 05:55:48 +00:00
Code Issues Projects Releases Packages Wiki Activity

[USER32]

Browse source 
Fix heap corruption in EnumDisplaySettingsExA/W:
- Do not overwrite the user-provided buffer size in dmDriverExtra
- Fix broken pointer arithmetic
CORE-13097

svn path=/trunk/; revision=74403
This commit is contained in:
Thomas Faber 2017-04-24 15:04:00 +00:00
parent b5171111fb
commit e395d953b3
1 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
reactos/win32ss/user/user32/misc/display.c
View file

@ -238,7 +238,6 @@ EnumDisplaySettingsExA(
COPYS(dmDeviceName, CCHDEVICENAME); COPYS(dmDeviceName, CCHDEVICENAME);
COPYN(dmSpecVersion); COPYN(dmSpecVersion);
COPYN(dmDriverVersion); COPYN(dmDriverVersion);
COPYN(dmDriverExtra);
COPYN(dmFields); COPYN(dmFields);
COPYN(dmPosition.x); COPYN(dmPosition.x);
COPYN(dmPosition.y); COPYN(dmPosition.y);
@ -288,7 +287,9 @@ EnumDisplaySettingsExA(
lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra; lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */ /* Copy extra data */
RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra); RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
} }
/* If the size of source structure is less, than used, we clean unsupported flags */ /* If the size of source structure is less, than used, we clean unsupported flags */
@ -363,14 +364,16 @@ EnumDisplaySettingsExW(
Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode, dwFlags); Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode, dwFlags);
if (NT_SUCCESS(Status)) if (NT_SUCCESS(Status))
{ {
/* Store old structure size */ /* Store old structure sizes */
WORD OldSize = lpDevMode->dmSize; WORD OldSize = lpDevMode->dmSize;
WORD OldDriverExtra = lpDevMode->dmDriverExtra;
/* Copy general data */ /* Copy general data */
RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize); RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize);
/* Restore old size */ /* Restore old sizes */
lpDevMode->dmSize = OldSize; lpDevMode->dmSize = OldSize;
lpDevMode->dmDriverExtra = OldDriverExtra;
/* Extra data presented? */ /* Extra data presented? */
if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra) if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra)
@ -380,7 +383,9 @@ EnumDisplaySettingsExW(
lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra; lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */ /* Copy extra data */
RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra); RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
} }
/* If the size of source structure is less, than used, we clean unsupported flags */ /* If the size of source structure is less, than used, we clean unsupported flags */