huwcampbell.com
Reactos
[NTOS:EX] Fix BufferSize validation in NtCreateProfile.
See https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/profile/bugdemo.htm
authored by
Thomas Faber
and committed by
Mark Jansen
1b2eeb23
11d11f93
+7
-1
+7
-1
ntoskrnl/ex/profile.c
+7
-1
ntoskrnl/ex/profile.c
···
104
104
NTSTATUS Status;
105
105
ULONG Log2 = 0;
106
106
ULONG_PTR Segment = 0;
107
+
ULONG BucketsRequired;
107
108
PAGED_CODE();
108
109
109
110
/* Easy way out */
···
136
137
}
137
138
138
139
/* Make sure that the buckets can map the range */
139
-
if ((RangeSize >> (BucketSize - 2)) > BufferSize)
140
+
BucketsRequired = RangeSize >> BucketSize;
141
+
if (RangeSize & ((1 << BucketSize) - 1))
142
+
{
143
+
BucketsRequired++;
144
+
}
145
+
if (BucketsRequired > BufferSize / sizeof(ULONG))
140
146
{
141
147
DPRINT1("Bucket size too small\n");
142
148
return STATUS_BUFFER_TOO_SMALL;