https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b2bad34b9b17e8ac5a4fcbfc977357cd4041c69c
commit b2bad34b9b17e8ac5a4fcbfc977357cd4041c69c Author: Hermès Bélusca-Maïto <[email protected]> AuthorDate: Fri Dec 21 00:33:56 2018 +0100 Commit: Hermès Bélusca-Maïto <[email protected]> CommitDate: Fri Dec 21 00:34:56 2018 +0100 [NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string is less than MAXUSHORT. --- ntoskrnl/inbv/inbv.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/ntoskrnl/inbv/inbv.c b/ntoskrnl/inbv/inbv.c index 75825d0aa2..9228569298 100644 --- a/ntoskrnl/inbv/inbv.c +++ b/ntoskrnl/inbv/inbv.c @@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString) NTSTATUS Status; UNICODE_STRING CapturedString; OEM_STRING OemString; + ULONG OemLength; KPROCESSOR_MODE PreviousMode; PAGED_CODE(); @@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString) * We cannot perform the allocation using RtlUnicodeStringToOemString() * since its allocator uses PagedPool. */ - RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, - RtlUnicodeStringToOemSize(&CapturedString)); - OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, - OemString.MaximumLength, - TAG_OSTR); + OemLength = RtlUnicodeStringToOemSize(&CapturedString); + if (OemLength > MAXUSHORT) + { + Status = STATUS_BUFFER_OVERFLOW; + goto Quit; + } + RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength); + OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR); if (OemString.Buffer == NULL) { Status = STATUS_NO_MEMORY;
