[NTOSKNRL]
authorPierre Schweitzer <pierre@reactos.org>
Fri, 25 Feb 2011 20:15:51 +0000 (20:15 +0000)
committerPierre Schweitzer <pierre@reactos.org>
Fri, 25 Feb 2011 20:15:51 +0000 (20:15 +0000)
For both FsRtlIsNameInExpression() & FsRtlIsDbcsInExpression():
As both UNICODE_STRING & ANSI_STRING might not be NULL-termined, don't attempt to read null char.
This fixes potential buffer overruns.
Then it fixes some (all?) 'TempPte.u.Long != 0' assertion failure.
See issue #5923 for more details.

svn path=/trunk/; revision=50904

reactos/ntoskrnl/fsrtl/dbcsname.c
reactos/ntoskrnl/fsrtl/name.c

index 202c2a3..2bf4af9 100644 (file)
@@ -185,10 +185,15 @@ FsRtlIsDbcsInExpression(IN PANSI_STRING Expression,
                     break;
 
                 case '?':
-                    ExpressionPosition++;
+                    if (++ExpressionPosition == Expression->Length)
+                    {
+                        NamePosition = Name->Length;
+                        break;
+                    }
+
                     MatchingChars = NamePosition;
-                    while (Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition] &&
-                           NamePosition < Name->Length)
+                    while (NamePosition < Name->Length &&
+                           Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition])
                     {
                         NamePosition++;
                     }
@@ -200,7 +205,7 @@ FsRtlIsDbcsInExpression(IN PANSI_STRING Expression,
                     break;
 
                 case ANSI_DOS_DOT:
-                    while (Name->Buffer[NamePosition] != '.' && NamePosition < Name->Length)
+                    while (NamePosition < Name->Length && Name->Buffer[NamePosition] != '.')
                     {
                         NamePosition++;
                     }
@@ -246,8 +251,8 @@ FsRtlIsDbcsInExpression(IN PANSI_STRING Expression,
         else if (StarFound != MAXUSHORT)
         {
             ExpressionPosition = StarFound + 1;
-            while (Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition] &&
-                   NamePosition < Name->Length)
+            while (NamePosition < Name->Length &&
+                   Name->Buffer[NamePosition] != Expression->Buffer[ExpressionPosition])
             {
                 NamePosition++;
             }
index ecb2c3f..8ed32a3 100644 (file)
@@ -45,11 +45,16 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
                     break;
 
                 case L'?':
-                    ExpressionPosition++;
+                    if (++ExpressionPosition == Expression->Length / sizeof(WCHAR))
+                    {
+                        NamePosition = Name->Length / sizeof(WCHAR);
+                        break;
+                    }
+
                     MatchingChars = NamePosition;
-                    while ((IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
-                                         Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition] &&
-                           NamePosition < Name->Length / sizeof(WCHAR))
+                    while (NamePosition < Name->Length / sizeof(WCHAR) &&
+                           (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
+                                         Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition])
                     {
                         NamePosition++;
                     }
@@ -61,8 +66,8 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
                     break;
 
                 case DOS_DOT:
-                    while (Name->Buffer[NamePosition] != L'.' &&
-                           NamePosition < Name->Length / sizeof(WCHAR))
+                    while (NamePosition < Name->Length / sizeof(WCHAR) &&
+                           Name->Buffer[NamePosition] != L'.')
                     {
                         NamePosition++;
                     }
@@ -108,9 +113,9 @@ FsRtlIsNameInExpressionPrivate(IN PUNICODE_STRING Expression,
         else if (StarFound != MAXUSHORT)
         {
             ExpressionPosition = StarFound + 1;
-            while ((IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
-                    Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition] &&
-                    NamePosition < Name->Length / sizeof(WCHAR))
+            while (NamePosition < Name->Length / sizeof(WCHAR) &&
+                   (IgnoreCase ? UpcaseTable[Name->Buffer[NamePosition]] :
+                    Name->Buffer[NamePosition]) != Expression->Buffer[ExpressionPosition])
             {
                 NamePosition++;
             }