Octavian Voicu : ntdll: Fix two buffer overflow conditions in RtlDosPathNameToNtPathName_U. - wine-commits

6 Sep 2011

Module: wine
Branch: master
Commit: ce60eb845968d80e693566dd9bbf284fed31bc1c
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=ce60eb845968d80e693566dd9b...
Author: Octavian Voicu octavian.voicu@gmail.com
Date:   Tue Sep  6 15:23:42 2011 +0300
ntdll: Fix two buffer overflow conditions in RtlDosPathNameToNtPathName_U.
---
dlls/ntdll/path.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/dlls/ntdll/path.c b/dlls/ntdll/path.c
index 3207720..6138fa8 100644
--- a/dlls/ntdll/path.c
+++ b/dlls/ntdll/path.c
@@ -383,8 +383,14 @@ BOOLEAN  WINAPI RtlDosPathNameToNtPathName_U(PCWSTR dos_path,
         if (!(ptr = RtlAllocateHeap(GetProcessHeap(), 0, sz))) return FALSE;
         sz = RtlGetFullPathName_U(dos_path, sz, ptr, file_part);
     }
+    sz += (1 /* NUL */ + 4 /* unc\ */ + 4 /* ??\ */) * sizeof(WCHAR);
+    if (sz > MAXWORD)
+    {
+        if (ptr != local) RtlFreeHeap(GetProcessHeap(), 0, ptr);
+        return FALSE;
+    }
-    ntpath->MaximumLength = sz + (4 /* unc\ */ + 4 /* ??\ */) * sizeof(WCHAR);
+    ntpath->MaximumLength = sz;
     ntpath->Buffer = RtlAllocateHeap(GetProcessHeap(), 0, ntpath->MaximumLength);
     if (!ntpath->Buffer)
     {

    