From 93b0957641f1b8c831152aa6fdfc43e2d528f9b4 Mon Sep 17 00:00:00 2001
From: Pierre Schweitzer <pierre@reactos.org>
Date: Sat, 16 Feb 2019 09:00:06 +0100
Subject: [PATCH] [IPHLPAPI] Check pointers when returning module info from
 specific connection

---
 dll/win32/iphlpapi/iphlpapi_main.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dll/win32/iphlpapi/iphlpapi_main.c b/dll/win32/iphlpapi/iphlpapi_main.c
index 83d53d2b10e..5993c74f988 100644
--- a/dll/win32/iphlpapi/iphlpapi_main.c
+++ b/dll/win32/iphlpapi/iphlpapi_main.c
@@ -2293,6 +2293,12 @@ static DWORD GetOwnerModuleFromPidEntry(DWORD OwningPid, TCPIP_OWNER_MODULE_INFO
     WCHAR File[MAX_PATH], Path[MAX_PATH];
     PTCPIP_OWNER_MODULE_BASIC_INFO BasicInfo;
 
+    if (IsBadWritePtr(pdwSize, sizeof(DWORD)) ||
+        IsBadWritePtr(Buffer, *pdwSize))
+    {
+        return ERROR_INVALID_PARAMETER;
+    }
+
     if (OwningPid == 0)
     {
         return ERROR_NOT_FOUND;
@@ -2363,6 +2369,12 @@ static DWORD GetOwnerModuleFromTagEntry(DWORD OwningPid, DWORD OwningTag, TCPIP_
         PWSTR Buffer;
     } ServiceQuery;
 
+    if (IsBadWritePtr(pdwSize, sizeof(DWORD)) ||
+        IsBadWritePtr(Buffer, *pdwSize))
+    {
+        return ERROR_INVALID_PARAMETER;
+    }
+
     /* First, secure (avoid injections) load advapi32.dll */
     Size = GetSystemDirectoryW(SysDir, MAX_PATH);
     if (Size == 0)
-- 
2.17.1