[WIN32K:NTUSER] Zero allocated memory in IntCbAllocateMemory.

This avoids disclosing pool contents to user mode when not all members
of the respective structure are initialized or when there is padding.

In co_IntCallWindowProc, also zero the stack buffer since this can
be passed to user mode as well, and contains padding.

diff --git a/win32ss/user/ntuser/callback.c b/win32ss/user/ntuser/callback.c
index 7bcc65f..25e6eee 100644 (file)
--- a/win32ss/user/ntuser/callback.c
+++ b/win32ss/user/ntuser/callback.c
@@ -35,6 +35,7 @@ IntCbAllocateMemory(ULONG Size)
       return NULL;
    }
 
+   RtlZeroMemory(Mem, Size + sizeof(INT_CALLBACK_HEADER));
    W32Thread = PsGetCurrentThreadWin32Thread();
    ASSERT(W32Thread);
 
@@ -185,10 +186,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
        pLibNameBuffer -= (ULONG_PTR)pArguments;
        pArguments->strLibraryName.Buffer = (PWCHAR)(pLibNameBuffer);
    }
-   else
-   {
-       RtlZeroMemory(&pArguments->strLibraryName, sizeof(UNICODE_STRING));
-   }
 
    if(pstrInitFunc)
    {
@@ -202,10 +199,6 @@ co_IntClientLoadLibrary(PUNICODE_STRING pstrLibName,
        pInitFuncBuffer -= (ULONG_PTR)pArguments;
        pArguments->strInitFuncName.Buffer = (PWCHAR)(pInitFuncBuffer);
    }
-   else
-   {
-       RtlZeroMemory(&pArguments->strInitFuncName, sizeof(UNICODE_STRING));
-   }
 
    /* Do the callback */
    UserLeaveCo();
@@ -294,7 +287,7 @@ co_IntCallWindowProc(WNDPROC Proc,
                      LPARAM lParam,
                      INT lParamBufferSize)
 {
-   WINDOWPROC_CALLBACK_ARGUMENTS StackArguments;
+   WINDOWPROC_CALLBACK_ARGUMENTS StackArguments = { 0 };
    PWINDOWPROC_CALLBACK_ARGUMENTS Arguments;
    NTSTATUS Status;
    PVOID ResultPointer, pActCtx;
@@ -662,7 +655,6 @@ co_IntCallHookProc(INT HookId,
    Common->offPfn = offPfn;
    Common->Ansi = Ansi;
    Common->lParamSize = lParamSize;
-   RtlZeroMemory(&Common->ModuleName, sizeof(Common->ModuleName));
    if (ModuleName->Buffer && ModuleName->Length)
    {
       RtlCopyMemory(&Common->ModuleName, ModuleName->Buffer, ModuleName->Length);
@@ -929,9 +921,6 @@ co_IntCallLoadMenu( HINSTANCE hModule,
    }
    Common = (PLOADMENU_CALLBACK_ARGUMENTS) Argument;
 
-   // Help Intersource check and MenuName is now 4 bytes + so zero it.
-   RtlZeroMemory(Common, ArgumentLength);
-
    Common->hModule = hModule;
    if (pMenuName->Length)
       RtlCopyMemory(&Common->MenuName, pMenuName->Buffer, pMenuName->Length);

diff --git a/win32ss/user/rtl/text.c b/win32ss/user/rtl/text.c
index 0ab3f00..ac12626 100644 (file)
--- a/win32ss/user/rtl/text.c
+++ b/win32ss/user/rtl/text.c
@@ -997,7 +997,6 @@ BOOL UserExtTextOutW(HDC hdc,
     }
     else
     {
-        RtlZeroMemory(&Argument->rect, sizeof(RECT));
         Argument->bRect = FALSE;
     }