[CSRSRV]: In CsrCaptureArguments, be sure that the number of captured pointers is at most equal to MAXUSHORT (and not the total length of the captured buffer).

svn path=/trunk/; revision=60561

reactos/subsystems/win32/csrsrv/api.c

@@ -1153,7 +1153,7 @@ CsrCaptureArguments(IN PCSR_THREAD CsrThread,
         /* Check if the Length is valid */
         if ((FIELD_OFFSET(CSR_CAPTURE_BUFFER, PointerOffsetsArray) +
                 (LocalCaptureBuffer->PointerCount * sizeof(PVOID)) > Length) ||
-            (Length > MAXWORD))
+            (LocalCaptureBuffer->PointerCount > MAXUSHORT))
         {
             /* Return failure */
             DPRINT1("*** CSRSS: CaptureBuffer %p has bad length\n", LocalCaptureBuffer);