From: Thomas Faber <thomas.faber@reactos.org>
Date: Sat, 22 Sep 2012 09:18:34 +0000 (+0000)
Subject: [KERNEL32]
X-Git-Tag: backups/ros-csrss@57560~188
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=1cc975ea630794a9bf2a29bd028cfea70ad0a46c;hp=46029920aab3653b1d322bb80f204f9fa1300190

[KERNEL32]
- Fix buffer overflow in PeekNamedPipe

svn path=/trunk/; revision=57360
---

diff --git a/reactos/dll/win32/kernel32/client/file/npipe.c b/reactos/dll/win32/kernel32/client/file/npipe.c
index eb54cc6aac2..6f7c061a4fd 100644
--- a/reactos/dll/win32/kernel32/client/file/npipe.c
+++ b/reactos/dll/win32/kernel32/client/file/npipe.c
@@ -1173,7 +1173,7 @@ PeekNamedPipe(HANDLE hNamedPipe,
     NTSTATUS Status;
 
     /* Calculate the buffer space that we'll need and allocate it */
-    BufferSize = nBufferSize + sizeof(FILE_PIPE_PEEK_BUFFER);
+    BufferSize = FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[nBufferSize]);
     Buffer = RtlAllocateHeap(RtlGetProcessHeap(), 0, BufferSize);
     if (Buffer == NULL)
     {
@@ -1215,11 +1215,15 @@ PeekNamedPipe(HANDLE hNamedPipe,
 
     /* Check if caller requested bytes available */
     if (lpTotalBytesAvail)
+    {
+        /* Return bytes available */
         *lpTotalBytesAvail = Buffer->ReadDataAvailable;
+    }
 
     /* Calculate the bytes returned, minus our structure overhead */
     BytesRead = (ULONG)(Iosb.Information -
                         FIELD_OFFSET(FILE_PIPE_PEEK_BUFFER, Data[0]));
+    ASSERT(BytesRead <= nBufferSize);
 
     /* Check if caller requested bytes read */
     if (lpBytesRead)