[ACPI]
authorThomas Faber <thomas.faber@reactos.org>
Mon, 16 Nov 2015 20:01:04 +0000 (20:01 +0000)
committerThomas Faber <thomas.faber@reactos.org>
Mon, 16 Nov 2015 20:01:04 +0000 (20:01 +0000)
- Completely duplicate CompatibleIdList before freeing the original in acpi_bus_add. Fixes use after free

svn path=/trunk/; revision=69901

reactos/drivers/bus/acpi/busmgr/bus.c

index a336f4b..b0b6a4d 100644 (file)
@@ -1258,8 +1258,19 @@ acpi_bus_add (
                if (info->Valid & ACPI_VALID_CID) {
                        cid_list = &info->CompatibleIdList;
                        device->pnp.cid_list = ExAllocatePoolWithTag(NonPagedPool,cid_list->ListSize, 'DpcA');
-                       if (device->pnp.cid_list)
-                               memcpy(device->pnp.cid_list, cid_list, cid_list->ListSize);
+                       if (device->pnp.cid_list) {
+                               char *p = (char *)&device->pnp.cid_list->Ids[cid_list->Count];
+                               device->pnp.cid_list->Count = cid_list->Count;
+                               device->pnp.cid_list->ListSize = cid_list->ListSize;
+                               for (i = 0; i < cid_list->Count; i++) {
+                                       device->pnp.cid_list->Ids[i].Length = cid_list->Ids[i].Length;
+                                       device->pnp.cid_list->Ids[i].String = p;
+                                       ASSERT(p + cid_list->Ids[i].Length <= (char *)device->pnp.cid_list + cid_list->ListSize);
+                                       memcpy(device->pnp.cid_list->Ids[i].String,
+                                               cid_list->Ids[i].String, cid_list->Ids[i].Length);
+                                       p += cid_list->Ids[i].Length;
+                               }
+                       }
                        else
                                DPRINT("Memory allocation error\n");
                }