[CONSRV]

- Fix potential Out-of-bounds access during string copy/concatenation. CID 1322098.
- Fix check for NULL after potential dereference. CID 1322175.

svn path=/trunk/; revision=71913

diff --git a/reactos/win32ss/user/winsrv/concfg/settings.c b/reactos/win32ss/user/winsrv/concfg/settings.c
index bf95a57..0b57876 100644 (file)
--- a/reactos/win32ss/user/winsrv/concfg/settings.c
+++ b/reactos/win32ss/user/winsrv/concfg/settings.c
@@ -102,13 +102,12 @@ TranslateConsoleName(OUT LPWSTR DestString,
     wLength = GetWindowsDirectoryW(DestString, MaxStrLen);
     if ((wLength > 0) && (_wcsnicmp(ConsoleName, DestString, wLength) == 0))
     {
-        wcsncpy(DestString, L"%SystemRoot%", MaxStrLen);
-        // FIXME: Fix possible buffer overflows there !!!!!
-        wcsncat(DestString, ConsoleName + wLength, MaxStrLen);
+        StringCchCopyW(DestString, MaxStrLen, L"%SystemRoot%");
+        StringCchCatW(DestString, MaxStrLen, ConsoleName + wLength);
     }
     else
     {
-        wcsncpy(DestString, ConsoleName, MaxStrLen);
+        StringCchCopyW(DestString, MaxStrLen, ConsoleName);
     }
 
     /* Replace path separators (backslashes) by underscores */
@@ -155,10 +154,10 @@ ConCfgOpenUserSettings(LPCWSTR ConsoleTitle,
      * to make the registry happy, replace all the
      * backslashes by underscores.
      */
-    TranslateConsoleName(szBuffer2, ConsoleTitle, MAX_PATH);
+    TranslateConsoleName(szBuffer2, ConsoleTitle, ARRAYSIZE(szBuffer2));
 
     /* Create the registry path */
-    wcsncat(szBuffer, szBuffer2, MAX_PATH - wcslen(szBuffer) - 1);
+    StringCchCatW(szBuffer, MAX_PATH - wcslen(szBuffer) - 1, szBuffer2);
 
     /* Create or open the registry key */
     if (Create)

diff --git a/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c b/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c
index 2ff93b9..e55ba70 100644 (file)
--- a/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c
+++ b/reactos/win32ss/user/winsrv/consrv/frontends/gui/conwnd.c
@@ -1455,15 +1455,16 @@ OnNcDestroy(HWND hWnd)
 {
     PGUI_CONSOLE_DATA GuiData = GuiGetGuiData(hWnd);
 
-    if (GuiData->IsWindowVisible)
-    {
-        KillTimer(hWnd, CONGUI_UPDATE_TIMER);
-    }
+    /* Free the GuiData registration */
+    SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
 
     GetSystemMenu(hWnd, TRUE);
 
     if (GuiData)
     {
+        if (GuiData->IsWindowVisible)
+            KillTimer(hWnd, CONGUI_UPDATE_TIMER);
+
         /* Free the terminal framebuffer */
         if (GuiData->hMemDC ) DeleteDC(GuiData->hMemDC);
         if (GuiData->hBitmap) DeleteObject(GuiData->hBitmap);
@@ -1471,9 +1472,6 @@ OnNcDestroy(HWND hWnd)
         DeleteFonts(GuiData);
     }
 
-    /* Free the GuiData registration */
-    SetWindowLongPtrW(hWnd, GWLP_USERDATA, (DWORD_PTR)NULL);
-
     return DefWindowProcW(hWnd, WM_NCDESTROY, 0, 0);
 }