[RTL]
authorTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 14 Jan 2014 19:41:01 +0000 (19:41 +0000)
committerTimo Kreuzer <timo.kreuzer@reactos.org>
Tue, 14 Jan 2014 19:41:01 +0000 (19:41 +0000)
Fix a nasty bug in RtlQueryRegistryValues, that caused memory corruption when the the key name or data had the "wrong" length.

svn path=/trunk/; revision=61624

reactos/lib/rtl/registry.c

index 030fbef..2645484 100644 (file)
@@ -211,7 +211,7 @@ RtlpCallQueryRegistryRoutine(IN PRTL_QUERY_REGISTRY_TABLE QueryTable,
 
             /* Check if we have space to copy the data */
             RequiredLength = KeyValueInfo->NameLength + sizeof(UNICODE_NULL);
-            if (SpareLength < RequiredLength)
+            if ((SpareData > DataEnd) || (SpareLength < RequiredLength))
             {
                 /* Fail and return the missing length */
                 *InfoSize = (ULONG)(SpareData - (PCHAR)KeyValueInfo) + RequiredLength;