Author: rharabien
Date: Thu Sep 8 16:38:38 2011
New Revision: 53645
URL: http://svn.reactos.org/svn/reactos?rev=53645&view=rev
Log:
[WIN32K]
- Fix possible buffer overrun
- Use KEY_VALUE_PARTIAL_INFORMATION field instead of magic offset to data
Modified:
trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c
trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c?rev=53645&r1=53644&r2=53645&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c [iso-8859-1]
(original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/kbdlayout.c [iso-8859-1] Thu
Sep 8 16:38:38 2011
@@ -286,6 +286,9 @@
if( NT_SUCCESS(Status) )
{
+ FullKeyboardLayoutPath.Buffer = wszBuffer;
+ FullKeyboardLayoutPath.MaximumLength = sizeof(wszBuffer);
+
// FIXME: Is this 100% correct?
// We're called very early, so HKEY_CURRENT_USER might not be available
yet. Check this first.
InitializeObjectAttributes(&KeyAttributes, &CurrentUserPath,
OBJ_CASE_INSENSITIVE, NULL, NULL);
@@ -294,18 +297,18 @@
if(Status == STATUS_OBJECT_NAME_NOT_FOUND)
{
// It is not available, so read it from HKEY_USERS\.DEFAULT
+ FullKeyboardLayoutPath.Length = sizeof(szDefaultUserPath) -
sizeof(UNICODE_NULL);
RtlCopyMemory(wszBuffer, szDefaultUserPath,
sizeof(szDefaultUserPath));
}
else
{
// The path is available
ZwClose(KeyHandle);
- RtlCopyMemory(wszBuffer, CurrentUserPath.Buffer,
CurrentUserPath.MaximumLength);
- }
-
- // Build the full path
- RtlInitUnicodeString(&FullKeyboardLayoutPath, wszBuffer);
- FullKeyboardLayoutPath.MaximumLength = MAX_PATH;
+ RtlCopyUnicodeString(&FullKeyboardLayoutPath, &CurrentUserPath);
+ }
+
+ // Free CurrentUserPath - we dont need it anymore
+ RtlFreeUnicodeString(&CurrentUserPath);
Status = RtlAppendUnicodeToString(&FullKeyboardLayoutPath,
szKeyboardLayoutPath);
@@ -326,8 +329,6 @@
}
else
ERR("RtlAppendUnicodeToString failed! (%08lx)\n", Status);
-
- RtlFreeUnicodeString(&CurrentUserPath);
}
else
ERR("RtlFormatCurrentUserKeyPath failed! (%08lx)\n", Status);
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/misc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntuser/misc.c?rev=53645&r1=53644&r2=53645&view=diff
==============================================================================
--- trunk/reactos/subsystems/win32/win32k/ntuser/misc.c [iso-8859-1] (original)
+++ trunk/reactos/subsystems/win32/win32k/ntuser/misc.c [iso-8859-1] Thu Sep 8
16:38:38 2011
@@ -17,13 +17,13 @@
IntGdiGetLanguageID(VOID)
{
HANDLE KeyHandle;
- ULONG Size = sizeof(WCHAR) * (MAX_PATH + 12);
OBJECT_ATTRIBUTES ObAttr;
// http://support.microsoft.com/kb/324097
ULONG Ret = 0x409; // English
- PVOID KeyInfo;
+ PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
+ ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR);
UNICODE_STRING Language;
-
+
RtlInitUnicodeString( &Language,
L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language");
@@ -35,22 +35,22 @@
if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr)))
{
- KeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
- if ( KeyInfo )
+ pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
+ if ( pKeyInfo )
{
RtlInitUnicodeString(&Language, L"Default");
if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle,
&Language,
KeyValuePartialInformation,
- KeyInfo,
+ pKeyInfo,
Size,
&Size)) )
{
- RtlInitUnicodeString(&Language, (PVOID)((char *)KeyInfo + 12));
+ RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data);
RtlUnicodeStringToInteger(&Language, 16, &Ret);
}
- ExFreePoolWithTag(KeyInfo, TAG_STRING);
+ ExFreePoolWithTag(pKeyInfo, TAG_STRING);
}
ZwClose(KeyHandle);
}
