[SDK:REACTOS] probe.h!ProbeAndCaptureUnicodeString(): Validate USTRings and reject them if malformed.

Make this actually the default, and only fall back to our old behaviour of tolerating and fixing malformed strings only if a specific `PROBE_USTR_TOLERATE_MALFORMED_STRINGS` is defined. Somewhat an addendum to commit 0d26bbf4b5.
2026-06-01 17:00:51 +08:00 · 2025-11-29 22:12:45 +01:00
parent 9d29523180
commit 269bc1e7d2
1 changed files with 22 additions and 9 deletions
--- a/sdk/include/reactos/probe.h
+++ b/sdk/include/reactos/probe.h
@@ -163,6 +163,25 @@ ProbeAndCaptureUnicodeString(
 #endif
            if (Dest->Buffer != NULL)
            {
+#ifdef PROBE_USTR_TOLERATE_MALFORMED_STRINGS
+                if (Dest->Length % sizeof(WCHAR))
+                    Dest->Length--;
+                if (Dest->Length > Dest->MaximumLength)
+                    Dest->Length = Dest->MaximumLength;
+#else
+// REMARK: Ideally we should use RtlValidateUnicodeString() or ntstrsafe.h's
+// RtlUnicodeStringValidate(Ex), but the code below performs the same checks.
+// Also, UNICODE_STRING_MAX_CHARS == default NTSTRSAFE_UNICODE_STRING_MAX_CCH.
+                if (Dest->Length % sizeof(WCHAR) != 0 ||
+                    Dest->MaximumLength % sizeof(WCHAR) != 0 ||
+                    Dest->Length > Dest->MaximumLength ||
+                    Dest->MaximumLength > UNICODE_STRING_MAX_CHARS * sizeof(WCHAR) ||
+                    (Dest->Buffer == NULL && (Dest->Length != 0 || Dest->MaximumLength != 0)))
+                {
+                    Status = STATUS_INVALID_PARAMETER;
+                    _SEH2_LEAVE;
+                }
+#endif
                if (Dest->Length != 0)
                {
                    ProbeForRead(Dest->Buffer, Dest->Length, sizeof(WCHAR));
@@ -183,18 +202,12 @@ ProbeAndCaptureUnicodeString(

                    /* Set it as the buffer */
                    Dest->Buffer = Buffer;
-                    if (Dest->Length % sizeof(WCHAR))
-                    {
-                        Dest->Length--;
-                    }
+#ifdef PROBE_USTR_TOLERATE_MALFORMED_STRINGS
                    if (Dest->Length >= UNICODE_STRING_MAX_BYTES)
-                    {
                        Dest->MaximumLength = Dest->Length;
-                    }
                    else
-                    {
-                        Dest->MaximumLength = Dest->Length + sizeof(WCHAR);
-                    }
+#endif
+                    Dest->MaximumLength = Dest->Length + sizeof(WCHAR);
                }
                else
                {