From: Thomas Faber <thomas.faber@reactos.org>
Date: Fri, 31 Oct 2014 17:05:30 +0000 (+0000)
Subject: [MSGINA]
X-Git-Tag: backups/tcpip_revolution@71025~146
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=b5b1531e3efd4b5964c2656e4cb2ac5d5d3f45ca

[MSGINA]
- pszEnvironment is a multi-sz string so make sure to double-null terminate it. Fixes a buffer overrun in winlogon; powered by DPH.

svn path=/trunk/; revision=65153
---

diff --git a/reactos/dll/win32/msgina/msgina.c b/reactos/dll/win32/msgina/msgina.c
index 6974725befc..2a45e7e5800 100644
--- a/reactos/dll/win32/msgina/msgina.c
+++ b/reactos/dll/win32/msgina/msgina.c
@@ -30,6 +30,7 @@
 #include <winsvc.h>
 #include <userenv.h>
 #include <ndk/sefuncs.h>
+#include <strsafe.h>
 
 HINSTANCE hDllInstance;
 
@@ -778,15 +779,19 @@ CreateProfile(
     pProfile->dwType = WLX_PROFILE_TYPE_V2_0;
     pProfile->pszProfile = ProfilePath;
 
-    lpEnvironment = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
-                              (wcslen(pgContext->Domain)+ 14 + 1) * sizeof(WCHAR));
+    cbSize = sizeof(L"LOGONSERVER=\\\\") +
+             wcslen(pgContext->Domain) * sizeof(WCHAR) +
+             sizeof(UNICODE_NULL);
+    lpEnvironment = HeapAlloc(GetProcessHeap(), 0, cbSize);
     if (!lpEnvironment)
     {
         WARN("HeapAlloc() failed\n");
         goto cleanup;
     }
 
-    wsprintfW(lpEnvironment, L"LOGONSERVER=\\\\%s", pgContext->Domain);
+    StringCbPrintfW(lpEnvironment, cbSize, L"LOGONSERVER=\\\\%ls", pgContext->Domain);
+    ASSERT(wcslen(lpEnvironment) == cbSize / sizeof(WCHAR) - 2);
+    lpEnvironment[cbSize / sizeof(WCHAR) - 1] = UNICODE_NULL;
 
     pProfile->pszEnvironment = lpEnvironment;