From 269bc1e7d2b76705c6b0f16de2a6e983e2d8212c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Sat, 29 Nov 2025 22:12:45 +0100
Subject: [PATCH] [SDK:REACTOS] probe.h!ProbeAndCaptureUnicodeString():
 Validate USTRings and reject them if malformed.

Make this actually the default, and only fall back to our old behaviour
of tolerating and fixing malformed strings only if a specific
`PROBE_USTR_TOLERATE_MALFORMED_STRINGS` is defined.

Somewhat an addendum to commit 0d26bbf4b5.
---
 sdk/include/reactos/probe.h | 31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/sdk/include/reactos/probe.h b/sdk/include/reactos/probe.h
index c815283b4be..0398e224161 100644
--- a/sdk/include/reactos/probe.h
+++ b/sdk/include/reactos/probe.h
@@ -163,6 +163,25 @@ ProbeAndCaptureUnicodeString(
 #endif
             if (Dest->Buffer != NULL)
             {
+#ifdef PROBE_USTR_TOLERATE_MALFORMED_STRINGS
+                if (Dest->Length % sizeof(WCHAR))
+                    Dest->Length--;
+                if (Dest->Length > Dest->MaximumLength)
+                    Dest->Length = Dest->MaximumLength;
+#else
+// REMARK: Ideally we should use RtlValidateUnicodeString() or ntstrsafe.h's
+// RtlUnicodeStringValidate(Ex), but the code below performs the same checks.
+// Also, UNICODE_STRING_MAX_CHARS == default NTSTRSAFE_UNICODE_STRING_MAX_CCH.
+                if (Dest->Length % sizeof(WCHAR) != 0 ||
+                    Dest->MaximumLength % sizeof(WCHAR) != 0 ||
+                    Dest->Length > Dest->MaximumLength ||
+                    Dest->MaximumLength > UNICODE_STRING_MAX_CHARS * sizeof(WCHAR) ||
+                    (Dest->Buffer == NULL && (Dest->Length != 0 || Dest->MaximumLength != 0)))
+                {
+                    Status = STATUS_INVALID_PARAMETER;
+                    _SEH2_LEAVE;
+                }
+#endif
                 if (Dest->Length != 0)
                 {
                     ProbeForRead(Dest->Buffer, Dest->Length, sizeof(WCHAR));
@@ -183,18 +202,12 @@ ProbeAndCaptureUnicodeString(
 
                     /* Set it as the buffer */
                     Dest->Buffer = Buffer;
-                    if (Dest->Length % sizeof(WCHAR))
-                    {
-                        Dest->Length--;
-                    }
+#ifdef PROBE_USTR_TOLERATE_MALFORMED_STRINGS
                     if (Dest->Length >= UNICODE_STRING_MAX_BYTES)
-                    {
                         Dest->MaximumLength = Dest->Length;
-                    }
                     else
-                    {
-                        Dest->MaximumLength = Dest->Length + sizeof(WCHAR);
-                    }
+#endif
+                    Dest->MaximumLength = Dest->Length + sizeof(WCHAR);
                 }
                 else
                 {