[KERNEL32]
authorAleksey Bragin <aleksey@reactos.org>
Sat, 26 Feb 2011 16:50:20 +0000 (16:50 +0000)
committerAleksey Bragin <aleksey@reactos.org>
Sat, 26 Feb 2011 16:50:20 +0000 (16:50 +0000)
- Fix buffer overwrite in GetModuleFileName(). Spotted by DPH.
See issue #5964 for more details.

svn path=/trunk/; revision=50912

reactos/dll/win32/kernel32/misc/ldr.c

index da2f582..6a954ae 100644 (file)
@@ -431,10 +431,10 @@ GetModuleFileNameA (
                                                             &Module->FullDllName,
                                                             FALSE);
                                
-                       if (nSize < Length)
-                               SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
-                       else
+                       if (Length < nSize)
                                lpFilename[Length] = '\0';
+                       else
+                               SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
 
                        RtlLeaveCriticalSection (Peb->LoaderLock);
                        return Length;
@@ -489,10 +489,10 @@ GetModuleFileNameW (
 
                        RtlCopyUnicodeString (&FileName,
                                              &Module->FullDllName);
-                       if (nSize < Length)
-                               SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
-                       else
+                       if (Length < nSize)
                                lpFilename[Length] = L'\0';
+                       else
+                               SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
 
                        RtlLeaveCriticalSection (Peb->LoaderLock);