Author: fireball
Date: Sat Feb 26 16:50:20 2011
New Revision: 50912
URL: http://svn.reactos.org/svn/reactos?rev=50912&view=rev
Log:
[KERNEL32]
- Fix buffer overwrite in GetModuleFileName(). Spotted by DPH.
See issue #5964 for more details.
Modified:
trunk/reactos/dll/win32/kernel32/misc/ldr.c
Modified: trunk/reactos/dll/win32/kernel32/misc/ldr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/misc/ldr.c?rev=50912&r1=50911&r2=50912&view=diff
==============================================================================
--- trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/kernel32/misc/ldr.c [iso-8859-1] Sat Feb 26
16:50:20 2011
@@ -431,10 +431,10 @@
&Module->FullDllName,
FALSE);
- if (nSize < Length)
+ if (Length < nSize)
+ lpFilename[Length] = '\0';
+ else
SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
- else
- lpFilename[Length] = '\0';
RtlLeaveCriticalSection (Peb->LoaderLock);
return Length;
@@ -489,10 +489,10 @@
RtlCopyUnicodeString (&FileName,
&Module->FullDllName);
- if (nSize < Length)
+ if (Length < nSize)
+ lpFilename[Length] = L'\0';
+ else
SetLastErrorByStatus (STATUS_BUFFER_TOO_SMALL);
- else
- lpFilename[Length] = L'\0';
RtlLeaveCriticalSection (Peb->LoaderLock);
