https://git.reactos.org/?p=reactos.git;a=commitdiff;h=96ae15ac4bfa3c43fe08aa959f58fd8a1449e8e0
commit 96ae15ac4bfa3c43fe08aa959f58fd8a1449e8e0
Author: Jérôme Gardou <jerome.gar...@reactos.org>
AuthorDate: Tue Dec 15 10:07:27 2020 +0100
Commit: Jérôme Gardou <jerome.gar...@reactos.org>
CommitDate: Tue Dec 15 10:08:25 2020 +0100
[NTOS:MM] Fix more 64 bit arithmetics
---
ntoskrnl/mm/ARM3/section.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/ntoskrnl/mm/ARM3/section.c b/ntoskrnl/mm/ARM3/section.c
index 347f3ca4074..02ead9a70a5 100644
--- a/ntoskrnl/mm/ARM3/section.c
+++ b/ntoskrnl/mm/ARM3/section.c
@@ -1299,6 +1299,14 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
{
/* The caller did not, so pick a 64K aligned view size based on the
offset */
SectionOffset->LowPart &= ~(_64K - 1);
+
+ /* Make sure that we will not overflow */
+ if ((Section->SizeOfSection.QuadPart - SectionOffset->QuadPart) >
MAXLONG_PTR)
+ {
+ MiDereferenceControlArea(ControlArea);
+ return STATUS_INVALID_VIEW_SIZE;
+ }
+
*ViewSize = (SIZE_T)(Section->SizeOfSection.QuadPart -
SectionOffset->QuadPart);
}
else
@@ -1306,6 +1314,13 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
/* A size was specified, align it to a 64K boundary */
*ViewSize += SectionOffset->LowPart & (_64K - 1);
+ /* Check for overflow or huge value */
+ if ((*ViewSize < (SectionOffset->LowPart & (_64K - 1))) ||
((*ViewSize) > MAXLONG_PTR))
+ {
+ MiDereferenceControlArea(ControlArea);
+ return STATUS_INVALID_VIEW_SIZE;
+ }
+
/* Align the offset as well to make this an aligned map */
SectionOffset->LowPart &= ~((ULONG)_64K - 1);
}
@@ -1313,13 +1328,6 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
/* We must be dealing with a 64KB aligned offset. This is a Windows ASSERT
*/
ASSERT((SectionOffset->LowPart & ((ULONG)_64K - 1)) == 0);
- /* It's illegal to try to map more than overflows a LONG_PTR */
- if (*ViewSize >= MAXLONG_PTR)
- {
- MiDereferenceControlArea(ControlArea);
- return STATUS_INVALID_VIEW_SIZE;
- }
-
/* Windows ASSERTs for this flag */
ASSERT(ControlArea->u.Flags.GlobalOnlyPerSession == 0);
@@ -1535,7 +1543,10 @@ MiCreatePagingFileMap(OUT PSEGMENT *Segment,
SizeLimit <<= PAGE_SHIFT;
/* Fail if this size is too big */
- if (MaximumSize->QuadPart > SizeLimit) return STATUS_SECTION_TOO_BIG;
+ if (MaximumSize->QuadPart > SizeLimit)
+ {
+ return STATUS_SECTION_TOO_BIG;
+ }
/* Calculate how many Prototype PTEs will be needed */
PteCount = (PFN_COUNT)((MaximumSize->QuadPart + PAGE_SIZE - 1) >>
PAGE_SHIFT);
@@ -1592,7 +1603,7 @@ MiCreatePagingFileMap(OUT PSEGMENT *Segment,
/* Save some extra accounting data for the segment as well */
NewSegment->u1.CreatingProcess = PsGetCurrentProcess();
- NewSegment->SizeOfSegment = PteCount * PAGE_SIZE;
+ NewSegment->SizeOfSegment = ((ULONGLONG)PteCount) * PAGE_SIZE;
NewSegment->TotalNumberOfPtes = PteCount;
NewSegment->NonExtendedPtes = PteCount;
