Qian Hong <qhong(a)codeweavers.com> writes:
@@ -1629,8 +1630,28 @@ NtAccessCheck(
status = wine_server_call( req );
- *ReturnLength = FIELD_OFFSET( PRIVILEGE_SET, Privilege ) + reply->privileges_len; - PrivilegeSet->PrivilegeCount = reply->privileges_len / sizeof(LUID_AND_ATTRIBUTES); + return_length = FIELD_OFFSET( PRIVILEGE_SET, Privilege ) + reply->privileges_len; + if (return_length < sizeof(PRIVILEGE_SET)) + return_length = sizeof(PRIVILEGE_SET); + + if (*ReturnLength == 0) + { + *ReturnLength = return_length; + return STATUS_BUFFER_TOO_SMALL; + } + + if (!PrivilegeSet) + return STATUS_ACCESS_VIOLATION;
It doesn't make sense to test this after it has already been passed to the server, what's more with an invalid length. -- Alexandre Julliard julliard(a)winehq.org