projects / reactos.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: af7aa8d)
[RTL]
authorTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 14 Jan 2014 19:41:01 +0000 (19:41 +0000)
committerTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 14 Jan 2014 19:41:01 +0000 (19:41 +0000)
Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.

svn path=/trunk/; revision=61624

reactos/lib/rtl/registry.c patch | blob | history

diff --git a/reactos/lib/rtl/registry.c b/reactos/lib/rtl/registry.c
index 030fbef..2645484 100644 (file)
--- a/reactos/lib/rtl/registry.c
+++ b/reactos/lib/rtl/registry.c
@@ -211,7 +211,7 @@ RtlpCallQueryRegistryRoutine(IN PRTL_QUERY_REGISTRY_TABLE QueryTable,
 
             /* Check if we have space to copy the data */
             RequiredLength = KeyValueInfo->NameLength + sizeof(UNICODE_NULL);
-            if (SpareLength < RequiredLength)
+            if ((SpareData > DataEnd) || (SpareLength < RequiredLength))
             {
                 /* Fail and return the missing length */
                 *InfoSize = (ULONG)(SpareData - (PCHAR)KeyValueInfo) + RequiredLength;
A free Windows-compatible Operating System