From: Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Date: Thu, 20 Dec 2018 23:33:56 +0000 (+0100)
Subject: [NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string... 
X-Git-Tag: 0.4.13-dev~940
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=b2bad34b9b17e8ac5a4fcbfc977357cd4041c69c;ds=sidebyside

[NTOS] Addendum to 03873aee: check that the computed size of the OEM-converted string is less than MAXUSHORT.
---

diff --git a/ntoskrnl/inbv/inbv.c b/ntoskrnl/inbv/inbv.c
index 75825d0aa23..92285692980 100644
--- a/ntoskrnl/inbv/inbv.c
+++ b/ntoskrnl/inbv/inbv.c
@@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
     NTSTATUS Status;
     UNICODE_STRING CapturedString;
     OEM_STRING OemString;
+    ULONG OemLength;
     KPROCESSOR_MODE PreviousMode;
 
     PAGED_CODE();
@@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
      * We cannot perform the allocation using RtlUnicodeStringToOemString()
      * since its allocator uses PagedPool.
      */
-    RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL,
-                           RtlUnicodeStringToOemSize(&CapturedString));
-    OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool,
-                                             OemString.MaximumLength,
-                                             TAG_OSTR);
+    OemLength = RtlUnicodeStringToOemSize(&CapturedString);
+    if (OemLength > MAXUSHORT)
+    {
+        Status = STATUS_BUFFER_OVERFLOW;
+        goto Quit;
+    }
+    RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength);
+    OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR);
     if (OemString.Buffer == NULL)
     {
         Status = STATUS_NO_MEMORY;