From 17990b28a2ee07f302ddd25c35c41a11958fb369 Mon Sep 17 00:00:00 2001
From: Thomas Faber <thomas.faber@reactos.org>
Date: Sun, 29 Jan 2017 00:00:22 +0000
Subject: [PATCH] [FREELDR] - Correctly check for buffer overflow in
 DetectPnpBios. Patch by Serge Gautherie. CORE-12623 #resolve

svn path=/trunk/; revision=73617
---
 reactos/boot/freeldr/freeldr/arch/i386/machpc.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/reactos/boot/freeldr/freeldr/arch/i386/machpc.c b/reactos/boot/freeldr/freeldr/arch/i386/machpc.c
index e08e7e08f52..018ac6ecefe 100644
--- a/reactos/boot/freeldr/freeldr/arch/i386/machpc.c
+++ b/reactos/boot/freeldr/freeldr/arch/i386/machpc.c
@@ -101,7 +101,7 @@ PcGetHarddiskConfigurationData(UCHAR DriveNumber, ULONG* pSize)
     PartialResourceList = FrLdrHeapAlloc(Size, TAG_HW_RESOURCE_LIST);
     if (PartialResourceList == NULL)
     {
-        ERR("Failed to allocate a full resource descriptor\n");
+        ERR("Failed to allocate resource descriptor\n");
         return NULL;
     }
 
@@ -170,6 +170,7 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber)
     ULONG FoundNodeCount;
     int i;
     ULONG PnpBufferSize;
+    ULONG PnpBufferSizeLimit;
     ULONG Size;
     char *Ptr;
 
@@ -204,8 +205,9 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber)
     TRACE("Estimated buffer size %u\n", NodeSize * NodeCount);
 
     /* Set 'Configuration Data' value */
-    Size = sizeof(CM_PARTIAL_RESOURCE_LIST)
-           + sizeof(CM_PNP_BIOS_INSTALLATION_CHECK) + (NodeSize * NodeCount);
+    PnpBufferSizeLimit = sizeof(CM_PNP_BIOS_INSTALLATION_CHECK)
+                         + (NodeSize * NodeCount);
+    Size = sizeof(CM_PARTIAL_RESOURCE_LIST) + PnpBufferSizeLimit;
     PartialResourceList = FrLdrHeapAlloc(Size, TAG_HW_RESOURCE_LIST);
     if (PartialResourceList == NULL)
     {
@@ -229,10 +231,10 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber)
     /* Set installation check data */
     memcpy (Ptr, InstData, sizeof(CM_PNP_BIOS_INSTALLATION_CHECK));
     Ptr += sizeof(CM_PNP_BIOS_INSTALLATION_CHECK);
+    PnpBufferSize = sizeof(CM_PNP_BIOS_INSTALLATION_CHECK);
 
     /* Copy device nodes */
     FoundNodeCount = 0;
-    PnpBufferSize = sizeof(CM_PNP_BIOS_INSTALLATION_CHECK);
     for (i = 0; i < 0xFF; i++)
     {
         NodeNumber = (UCHAR)i;
@@ -247,9 +249,9 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber)
                   DeviceNode->Size,
                   DeviceNode->Size);
 
-            if (PnpBufferSize + DeviceNode->Size > Size)
+            if (PnpBufferSize + DeviceNode->Size > PnpBufferSizeLimit)
             {
-                ERR("Buffer too small!\n");
+                ERR("Buffer too small! Ignoring remaining device nodes.\n");
                 break;
             }
 
-- 
2.17.1