[WIN32K:NTUSER] In UserCreateWinstaDirectory(), use a string-safe printf, and use OBJ_KERNEL_HANDLE as well as a suitable desired access value in a ZwCreateDirectoryObject() call.

win32ss/user/ntuser/winsta.c

@@ -47,11 +47,11 @@ NTSTATUS
 NTAPI
 UserCreateWinstaDirectory(VOID)
 {
-    PPEB Peb;
     NTSTATUS Status;
-    WCHAR wstrWindowStationsDir[MAX_PATH];
+    PPEB Peb;
     OBJECT_ATTRIBUTES ObjectAttributes;
     HANDLE hWinstaDir;
+    WCHAR wstrWindowStationsDir[MAX_PATH];
 
     /* Create the WindowStations directory and cache its path for later use */
     Peb = NtCurrentPeb();
@@ -64,11 +64,14 @@ UserCreateWinstaDirectory(VOID)
     }
     else
     {
-        swprintf(wstrWindowStationsDir,
+        Status = RtlStringCbPrintfW(wstrWindowStationsDir,
-                 L"%ws\\%lu%ws",
+                                    sizeof(wstrWindowStationsDir),
-                 SESSION_DIR,
+                                    L"%ws\\%lu%ws",
-                 Peb->SessionId,
+                                    SESSION_DIR,
-                 WINSTA_OBJ_DIR);
+                                    Peb->SessionId,
+                                    WINSTA_OBJ_DIR);
+        if (!NT_SUCCESS(Status))
+            return Status;
 
         if (!RtlCreateUnicodeString(&gustrWindowStationsDir, wstrWindowStationsDir))
         {
@@ -78,10 +81,10 @@ UserCreateWinstaDirectory(VOID)
 
     InitializeObjectAttributes(&ObjectAttributes,
                                &gustrWindowStationsDir,
-                               0,
+                               OBJ_KERNEL_HANDLE,
                                NULL,
                                NULL);
-    Status = ZwCreateDirectoryObject(&hWinstaDir, 0, &ObjectAttributes);
+    Status = ZwCreateDirectoryObject(&hWinstaDir, DIRECTORY_CREATE_OBJECT, &ObjectAttributes);
     if (!NT_SUCCESS(Status))
     {
         ERR("Could not create %wZ directory (Status 0x%X)\n", &gustrWindowStationsDir,  Status);