[ros-diffs] [reactos] 01/01: [SETUPAPI] CM_Request_Device_Eject_ExA/W: Fix pszVetoName buffer size validation (#5943)

Tue, 21 Nov 2023 17:58:57 -0800 

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=7f346b1aa350942540c7dee9fce3869bea2a72a6

commit 7f346b1aa350942540c7dee9fce3869bea2a72a6
Author:     Thamatip Chitpong <[email protected]>
AuthorDate: Wed Nov 22 08:58:27 2023 +0700
Commit:     GitHub <[email protected]>
CommitDate: Wed Nov 22 08:58:27 2023 +0700

    [SETUPAPI] CM_Request_Device_Eject_ExA/W: Fix pszVetoName buffer size 
validation (#5943)
    
    - Return CR_INVALID_POINTER if pszVetoName is NULL and ulNameLength is not 
zero
    - CM_Request_Device_Eject_ExA: Allow ulNameLength to be zero when 
pszVetoName is not NULL
    
    Verified with Windows 2003 SP2.
---
 dll/win32/setupapi/cfgmgr.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/dll/win32/setupapi/cfgmgr.c b/dll/win32/setupapi/cfgmgr.c
index 4a4e18ad621..3ab1d6969ce 100644
--- a/dll/win32/setupapi/cfgmgr.c
+++ b/dll/win32/setupapi/cfgmgr.c
@@ -7483,22 +7483,25 @@ CM_Request_Device_Eject_ExA(
     _In_ ULONG ulFlags,
     _In_opt_ HMACHINE hMachine)
 {
-    LPWSTR lpLocalVetoName;
+    LPWSTR lpLocalVetoName = NULL;
     CONFIGRET ret;
 
     TRACE("CM_Request_Device_Eject_ExA(%lx %p %s %lu %lx %p)\n",
           dnDevInst, pVetoType, debugstr_a(pszVetoName), ulNameLength, 
ulFlags, hMachine);
 
-    if (pszVetoName == NULL && ulNameLength == 0)
-        return CR_INVALID_POINTER;
+    if (ulNameLength != 0)
+    {
+        if (pszVetoName == NULL)
+            return CR_INVALID_POINTER;
 
-    lpLocalVetoName = HeapAlloc(GetProcessHeap(), 0, ulNameLength * 
sizeof(WCHAR));
-    if (lpLocalVetoName == NULL)
-        return CR_OUT_OF_MEMORY;
+        lpLocalVetoName = HeapAlloc(GetProcessHeap(), 0, ulNameLength * 
sizeof(WCHAR));
+        if (lpLocalVetoName == NULL)
+            return CR_OUT_OF_MEMORY;
+    }
 
     ret = CM_Request_Device_Eject_ExW(dnDevInst, pVetoType, lpLocalVetoName,
                                       ulNameLength, ulFlags, hMachine);
-    if (ret == CR_REMOVE_VETOED)
+    if (ret == CR_REMOVE_VETOED && ulNameLength != 0)
     {
         if (WideCharToMultiByte(CP_ACP,
                                 0,
@@ -7544,7 +7547,7 @@ CM_Request_Device_Eject_ExW(
     if (ulFlags != 0)
         return CR_INVALID_FLAG;
 
-    if (pszVetoName == NULL && ulNameLength == 0)
+    if (pszVetoName == NULL && ulNameLength != 0)
         return CR_INVALID_POINTER;
 
     if (hMachine != NULL)

Reply via email to