Author: pschweitzer
Date: Fri Feb 25 20:15:51 2011
New Revision: 50904
URL: http://svn.reactos.org/svn/reactos?rev=50904&view=rev
Log:
[NTOSKNRL]
For both FsRtlIsNameInExpression() & FsRtlIsDbcsInExpression():
As both UNICODE_STRING & ANSI_STRING might not be NULL-termined, don't attempt
to read null char.
This fixes potential buffer overruns.
Then it fixes some (all?) 'TempPte.u.Long != 0' assertion failure.
See issue #5923 for more details.
Modified:
trunk/reactos/ntoskrnl/fsrtl/dbcsname.c
trunk/reactos/ntoskrnl/fsrtl/name.c
Modified: trunk/reactos/ntoskrnl/fsrtl/dbcsname.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/fsrtl/dbcsname.c?rev=50904&r1=50903&r2=50904&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/fsrtl/dbcsname.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/fsrtl/dbcsname.c [iso-8859-1] Fri Feb 25 20:15:51
2011
@@ -185,10 +185,15 @@
break;
case '?':
- ExpressionPosition++;
+ if (++ExpressionPosition == Expression->Length)
+ {
+ NamePosition = Name->Length;
+ break;
+ }
+
MatchingChars = NamePosition;
- while (Name->Buffer[NamePosition] !=
Expression->Buffer[ExpressionPosition] &&
- NamePosition < Name->Length)
+ while (NamePosition < Name->Length &&
+ Name->Buffer[NamePosition] !=
Expression->Buffer[ExpressionPosition])
{
NamePosition++;
}
@@ -200,7 +205,7 @@
break;
case ANSI_DOS_DOT:
- while (Name->Buffer[NamePosition] != '.' && NamePosition <
Name->Length)
+ while (NamePosition < Name->Length &&
Name->Buffer[NamePosition] != '.')
{
NamePosition++;
}
@@ -246,8 +251,8 @@
else if (StarFound != MAXUSHORT)
{
ExpressionPosition = StarFound + 1;
- while (Name->Buffer[NamePosition] !=
Expression->Buffer[ExpressionPosition] &&
- NamePosition < Name->Length)
+ while (NamePosition < Name->Length &&
+ Name->Buffer[NamePosition] !=
Expression->Buffer[ExpressionPosition])
{
NamePosition++;
}
Modified: trunk/reactos/ntoskrnl/fsrtl/name.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/fsrtl/name.c?rev=50904&r1=50903&r2=50904&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/fsrtl/name.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/fsrtl/name.c [iso-8859-1] Fri Feb 25 20:15:51 2011
@@ -45,11 +45,16 @@
break;
case L'?':
- ExpressionPosition++;
+ if (++ExpressionPosition == Expression->Length /
sizeof(WCHAR))
+ {
+ NamePosition = Name->Length / sizeof(WCHAR);
+ break;
+ }
+
MatchingChars = NamePosition;
- while ((IgnoreCase ?
UpcaseTable[Name->Buffer[NamePosition]] :
- Name->Buffer[NamePosition]) !=
Expression->Buffer[ExpressionPosition] &&
- NamePosition < Name->Length / sizeof(WCHAR))
+ while (NamePosition < Name->Length / sizeof(WCHAR) &&
+ (IgnoreCase ?
UpcaseTable[Name->Buffer[NamePosition]] :
+ Name->Buffer[NamePosition]) !=
Expression->Buffer[ExpressionPosition])
{
NamePosition++;
}
@@ -61,8 +66,8 @@
break;
case DOS_DOT:
- while (Name->Buffer[NamePosition] != L'.' &&
- NamePosition < Name->Length / sizeof(WCHAR))
+ while (NamePosition < Name->Length / sizeof(WCHAR) &&
+ Name->Buffer[NamePosition] != L'.')
{
NamePosition++;
}
@@ -108,9 +113,9 @@
else if (StarFound != MAXUSHORT)
{
ExpressionPosition = StarFound + 1;
- while ((IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
- Name->Buffer[NamePosition]) !=
Expression->Buffer[ExpressionPosition] &&
- NamePosition < Name->Length / sizeof(WCHAR))
+ while (NamePosition < Name->Length / sizeof(WCHAR) &&
+ (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
+ Name->Buffer[NamePosition]) !=
Expression->Buffer[ExpressionPosition])
{
NamePosition++;
}
