Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-24 09:25:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

[USER32]

Browse source 
Fix heap corruption in EnumDisplaySettingsExA/W:
- Do not overwrite the user-provided buffer size in dmDriverExtra
- Fix broken pointer arithmetic
CORE-13097

svn path=/trunk/; revision=74403
This commit is contained in:
Thomas Faber 2017-04-24 15:04:00 +00:00
parent b5171111fb
commit e395d953b3
1 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
reactos/win32ss/user/user32/misc/display.c
View file

@ -238,7 +238,6 @@ EnumDisplaySettingsExA(
COPYS(dmDeviceName, CCHDEVICENAME);
COPYN(dmSpecVersion);
COPYN(dmDriverVersion);
COPYN(dmDriverExtra);
COPYN(dmFields);
COPYN(dmPosition.x);
COPYN(dmPosition.y);
@ -288,7 +287,9 @@ EnumDisplaySettingsExA(
lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */
RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
}
/* If the size of source structure is less, than used, we clean unsupported flags */
@ -363,14 +364,16 @@ EnumDisplaySettingsExW(
Status = NtUserEnumDisplaySettings(pusDeviceName, iModeNum, lpExtendedDevMode, dwFlags);
if (NT_SUCCESS(Status))
{
/* Store old structure size */
/* Store old structure sizes */
WORD OldSize = lpDevMode->dmSize;
WORD OldDriverExtra = lpDevMode->dmDriverExtra;
/* Copy general data */
RtlCopyMemory(lpDevMode, lpExtendedDevMode, OldSize);
/* Restore old size */
/* Restore old sizes */
lpDevMode->dmSize = OldSize;
lpDevMode->dmDriverExtra = OldDriverExtra;
/* Extra data presented? */
if (lpDevMode->dmDriverExtra && lpExtendedDevMode->dmDriverExtra)
@ -380,7 +383,9 @@ EnumDisplaySettingsExW(
lpDevMode->dmDriverExtra = lpExtendedDevMode->dmDriverExtra;
/* Copy extra data */
RtlCopyMemory(lpDevMode + OldSize, lpExtendedDevMode + 1, lpDevMode->dmDriverExtra);
RtlCopyMemory((PUCHAR)lpDevMode + OldSize,
lpExtendedDevMode + 1,
lpDevMode->dmDriverExtra);
}
/* If the size of source structure is less, than used, we clean unsupported flags */