lywsvip/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2026-06-01 08:50:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string is less than MAXUSHORT.

Browse Source
This commit is contained in:
Hermès Bélusca-Maïto
2018-12-21 00:33:56 +01:00
parent 5c77cd9050
commit b2bad34b9b
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
ntoskrnl/inbv/inbv.c
View File

@@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
NTSTATUS Status;
UNICODE_STRING CapturedString;
OEM_STRING OemString;
ULONG OemLength;
KPROCESSOR_MODE PreviousMode;
PAGED_CODE();
@@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
* We cannot perform the allocation using RtlUnicodeStringToOemString()
* since its allocator uses PagedPool.
*/
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL,
RtlUnicodeStringToOemSize(&CapturedString));
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool,
OemString.MaximumLength,
TAG_OSTR);
OemLength = RtlUnicodeStringToOemSize(&CapturedString);
if (OemLength > MAXUSHORT)
{
Status = STATUS_BUFFER_OVERFLOW;
goto Quit;
}
RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength);
OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR);
if (OemString.Buffer == NULL)
{
Status = STATUS_NO_MEMORY;