[ros-diffs] [tfaber] 64867: [RTL] - Fix a buffer overflow in RtlSetBits/RtlClearBits

Tue, 21 Oct 2014 07:24:08 -0700 

Author: tfaber
Date: Tue Oct 21 14:22:28 2014
New Revision: 64867

URL: http://svn.reactos.org/svn/reactos?rev=64867&view=rev
Log:
[RTL]
- Fix a buffer overflow in RtlSetBits/RtlClearBits

Modified:
    trunk/reactos/lib/rtl/bitmap.c
    trunk/rostests/apitests/ntdll/RtlBitmap.c

Modified: trunk/reactos/lib/rtl/bitmap.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/bitmap.c?rev=64867&r1=64866&r2=64867&view=diff
==============================================================================
--- trunk/reactos/lib/rtl/bitmap.c      [iso-8859-1] (original)
+++ trunk/reactos/lib/rtl/bitmap.c      [iso-8859-1] Tue Oct 21 14:22:28 2014
@@ -362,8 +362,11 @@
 
     /* Clear what's left */
     NumberToClear &= (_BITCOUNT - 1);
-    Mask = MAXINDEX << NumberToClear;
-    *Buffer &= Mask;
+    if (NumberToClear)
+    {
+        Mask = MAXINDEX << NumberToClear;
+        *Buffer &= Mask;
+    }
 }
 
 VOID
@@ -419,8 +422,11 @@
 
     /* Set what's left */
     NumberToSet &= (_BITCOUNT - 1);
-    Mask = MAXINDEX << NumberToSet;
-    *Buffer |= ~Mask;
+    if (NumberToSet)
+    {
+        Mask = MAXINDEX << NumberToSet;
+        *Buffer |= ~Mask;
+    }
 }
 
 BOOLEAN

Modified: trunk/rostests/apitests/ntdll/RtlBitmap.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/rostests/apitests/ntdll/RtlBitmap.c?rev=64867&r1=64866&r2=64867&view=diff
==============================================================================
--- trunk/rostests/apitests/ntdll/RtlBitmap.c   [iso-8859-1] (original)
+++ trunk/rostests/apitests/ntdll/RtlBitmap.c   [iso-8859-1] Tue Oct 21 
14:22:28 2014
@@ -200,6 +200,11 @@
     ok_hex(Buffer[0], 0x00001fff);
     ok_hex(Buffer[1], 0xfffffff8);
 
+    memset(Buffer, 0xff, BufferSize);
+    RtlClearBits(&BitMapHeader, 63, 1);
+    ok_hex(Buffer[0], 0xffffffff);
+    ok_hex(Buffer[1], 0x7fffffff);
+
     memset(Buffer, 0xcc, BufferSize);
     RtlClearBits(&BitMapHeader, 3, 6);
     RtlClearBits(&BitMapHeader, 11, 5);
@@ -244,6 +249,11 @@
     RtlSetBits(&BitMapHeader, 13, 22);
     ok_hex(Buffer[0], 0xffffe000);
     ok_hex(Buffer[1], 0x00000007);
+
+    memset(Buffer, 0x00, BufferSize);
+    RtlSetBits(&BitMapHeader, 63, 1);
+    ok_hex(Buffer[0], 0x00000000);
+    ok_hex(Buffer[1], 0x80000000);
 
     memset(Buffer, 0xcc, BufferSize);
     RtlSetBits(&BitMapHeader, 3, 6);

Reply via email to