From eb9d268653b7093db6aacbeea0b2cde54014b190 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Sun, 6 Oct 2013 14:20:18 +0000
Subject: [PATCH] [CSRSRV]: In CsrCaptureArguments, be sure that the number of
 captured pointers is at most equal to MAXUSHORT (and not the total length of
 the captured buffer).

svn path=/trunk/; revision=60561
---
 reactos/subsystems/win32/csrsrv/api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/reactos/subsystems/win32/csrsrv/api.c b/reactos/subsystems/win32/csrsrv/api.c
index 55f8c9d3bbb..125fc67de64 100644
--- a/reactos/subsystems/win32/csrsrv/api.c
+++ b/reactos/subsystems/win32/csrsrv/api.c
@@ -1153,7 +1153,7 @@ CsrCaptureArguments(IN PCSR_THREAD CsrThread,
         /* Check if the Length is valid */
         if ((FIELD_OFFSET(CSR_CAPTURE_BUFFER, PointerOffsetsArray) +
                 (LocalCaptureBuffer->PointerCount * sizeof(PVOID)) > Length) ||
-            (Length > MAXWORD))
+            (LocalCaptureBuffer->PointerCount > MAXUSHORT))
         {
             /* Return failure */
             DPRINT1("*** CSRSS: CaptureBuffer %p has bad length\n", LocalCaptureBuffer);