From: Pierre Schweitzer Date: Fri, 21 Sep 2018 06:31:05 +0000 (+0200) Subject: [NTOSKRNL] Avoid integer overflow when computing VACB read/write size X-Git-Tag: 0.4.12-dev~752 X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=15a3ca08b045941efdb49f15ec71beb41eb777f2 [NTOSKRNL] Avoid integer overflow when computing VACB read/write size This could be triggered when attempting to read/write to really big files. It was causing an attempt to read 0 bytes in Cc, leading to asserts failure in the kernel (and corrupted file). CORE-15067 --- diff --git a/ntoskrnl/cc/copy.c b/ntoskrnl/cc/copy.c index a46ed966405..78c6553d8ad 100644 --- a/ntoskrnl/cc/copy.c +++ b/ntoskrnl/cc/copy.c @@ -86,12 +86,14 @@ CcReadVirtualAddress ( NTSTATUS Status; IO_STATUS_BLOCK IoStatus; KEVENT Event; + ULARGE_INTEGER LargeSize; - Size = (ULONG)(Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart); - if (Size > VACB_MAPPING_GRANULARITY) + LargeSize.QuadPart = Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart; + if (LargeSize.QuadPart > VACB_MAPPING_GRANULARITY) { - Size = VACB_MAPPING_GRANULARITY; + LargeSize.QuadPart = VACB_MAPPING_GRANULARITY; } + Size = LargeSize.LowPart; Pages = BYTES_TO_PAGES(Size); ASSERT(Pages * PAGE_SIZE <= VACB_MAPPING_GRANULARITY); @@ -155,12 +157,14 @@ CcWriteVirtualAddress ( NTSTATUS Status; IO_STATUS_BLOCK IoStatus; KEVENT Event; + ULARGE_INTEGER LargeSize; - Size = (ULONG)(Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart); - if (Size > VACB_MAPPING_GRANULARITY) + LargeSize.QuadPart = Vacb->SharedCacheMap->SectionSize.QuadPart - Vacb->FileOffset.QuadPart; + if (LargeSize.QuadPart > VACB_MAPPING_GRANULARITY) { - Size = VACB_MAPPING_GRANULARITY; + LargeSize.QuadPart = VACB_MAPPING_GRANULARITY; } + Size = LargeSize.LowPart; // // Nonpaged pool PDEs in ReactOS must actually be synchronized between the // MmGlobalPageDirectory and the real system PDE directory. What a mess...