Author: hbelusca
Date: Fri Aug 1 19:03:50 2014
New Revision: 63795
URL: http://svn.reactos.org/svn/reactos?rev=63795&view=rev
Log:
[KERNEL32]
Hack buffer protection check for pInputControl and lpBuffer user buffers.
Modified:
branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c
Modified:
branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c
URL:
http://svn.reactos.org/svn/reactos/branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c?rev=63795&r1=63794&r2=63795&view=diff
==============================================================================
--- branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c
[iso-8859-1] (original)
+++ branches/condrv_restructure/dll/win32/kernel32/client/console/readwrite.c
[iso-8859-1] Fri Aug 1 19:03:50 2014
@@ -126,42 +126,53 @@
* "This parameter requires Unicode input by default.
* For ANSI mode, set this parameter to NULL."
*/
- if (bUnicode && pInputControl &&
- pInputControl->nLength == sizeof(CONSOLE_READCONSOLE_CONTROL))
- {
- /* Sanity check */
- if (pInputControl->nInitialChars <= nNumberOfCharsToRead)
- {
- ReadConsoleRequest->InitialNumBytes =
- pInputControl->nInitialChars * sizeof(WCHAR); // CharSize
-
- if (pInputControl->nInitialChars != 0)
+ _SEH2_TRY
+ {
+ if (bUnicode && pInputControl &&
+ pInputControl->nLength == sizeof(CONSOLE_READCONSOLE_CONTROL))
+ {
+ /* Sanity check */
+ if (pInputControl->nInitialChars <= nNumberOfCharsToRead)
{
- /*
- * It is possible here to overwrite the static buffer, in case
- * the number of bytes to read was smaller than the static
buffer.
- * In this case, this means we are continuing a pending read,
- * and we do not need in fact the executable name that was
- * stored in the static buffer because it was first grabbed
when
- * we started the first read.
- */
- RtlCopyMemory(ReadConsoleRequest->Buffer,
- lpBuffer,
- ReadConsoleRequest->InitialNumBytes);
+ ReadConsoleRequest->InitialNumBytes =
+ pInputControl->nInitialChars * sizeof(WCHAR); // CharSize
+
+ if (pInputControl->nInitialChars != 0)
+ {
+ /*
+ * It is possible here to overwrite the static buffer, in
case
+ * the number of bytes to read was smaller than the static
buffer.
+ * In this case, this means we are continuing a pending
read,
+ * and we do not need in fact the executable name that was
+ * stored in the static buffer because it was first
grabbed when
+ * we started the first read.
+ */
+ RtlCopyMemory(ReadConsoleRequest->Buffer,
+ lpBuffer,
+ ReadConsoleRequest->InitialNumBytes);
+ }
+
+ ReadConsoleRequest->CtrlWakeupMask =
pInputControl->dwCtrlWakeupMask;
}
-
- ReadConsoleRequest->CtrlWakeupMask =
pInputControl->dwCtrlWakeupMask;
+ else
+ {
+ // Status = STATUS_INVALID_PARAMETER;
+ }
}
else
{
- // Status = STATUS_INVALID_PARAMETER;
- }
- }
- else
- {
- /* We are in a situation where pInputControl has no meaning */
- pInputControl = NULL;
- }
+ /* We are in a situation where pInputControl has no meaning */
+ pInputControl = NULL;
+ }
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ // HACK
+ if (CaptureBuffer) CsrFreeCaptureBuffer(CaptureBuffer);
+ SetLastError(ERROR_INVALID_ACCESS);
+ return FALSE;
+ }
+ _SEH2_END;
/* Check for sanity */
/*
