From b2bad34b9b17e8ac5a4fcbfc977357cd4041c69c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Fri, 21 Dec 2018 00:33:56 +0100
Subject: [PATCH] [NTOS] Addendum to 03873aee: check that the computed size of
 the OEM-converted string is less than MAXUSHORT.

---
 ntoskrnl/inbv/inbv.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/ntoskrnl/inbv/inbv.c b/ntoskrnl/inbv/inbv.c
index 75825d0aa23..92285692980 100644
--- a/ntoskrnl/inbv/inbv.c
+++ b/ntoskrnl/inbv/inbv.c
@@ -778,6 +778,7 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
     NTSTATUS Status;
     UNICODE_STRING CapturedString;
     OEM_STRING OemString;
+    ULONG OemLength;
     KPROCESSOR_MODE PreviousMode;
 
     PAGED_CODE();
@@ -806,11 +807,14 @@ NtDisplayString(IN PUNICODE_STRING DisplayString)
      * We cannot perform the allocation using RtlUnicodeStringToOemString()
      * since its allocator uses PagedPool.
      */
-    RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL,
-                           RtlUnicodeStringToOemSize(&CapturedString));
-    OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool,
-                                             OemString.MaximumLength,
-                                             TAG_OSTR);
+    OemLength = RtlUnicodeStringToOemSize(&CapturedString);
+    if (OemLength > MAXUSHORT)
+    {
+        Status = STATUS_BUFFER_OVERFLOW;
+        goto Quit;
+    }
+    RtlInitEmptyAnsiString((PANSI_STRING)&OemString, NULL, (USHORT)OemLength);
+    OemString.Buffer = ExAllocatePoolWithTag(NonPagedPool, OemLength, TAG_OSTR);
     if (OemString.Buffer == NULL)
     {
         Status = STATUS_NO_MEMORY;
-- 
2.17.1