From: Serge Gautherie Date: Tue, 3 Jan 2017 14:41:44 +0100 Subject: [FREELDR] freeldr\arch\i386\hardware.c: *DetectPnpBios(): Create+Use PnpBufferSizeLimit (= Fix r55173), [Thanks to curiousone for reporting this.] *Add 3 missing checks for FrLdrHeapAlloc() failure. CORE-12623 diff --git a/reactos/boot/freeldr/freeldr/arch/i386/hardware.c b/reactos/boot/freeldr/freeldr/arch/i386/hardware.c index b9f222d..7906439 100644 --- a/reactos/boot/freeldr/freeldr/arch/i386/hardware.c +++ b/reactos/boot/freeldr/freeldr/arch/i386/hardware.c @@ -239,7 +239,7 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) UCHAR NodeNumber; ULONG FoundNodeCount; int i; - ULONG PnpBufferSize; + ULONG PnpBufferSize, PnpBufferSizeLimit; ULONG Size; char *Ptr; @@ -293,16 +293,16 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) PartialResourceList->PartialDescriptors[0].ShareDisposition = CmResourceShareUndetermined; - /* The buffer starts after PartialResourceList->PartialDescriptors[0] */ - Ptr = (char *)(PartialResourceList + 1); + Ptr = (char *)(PartialResourceList->PartialDescriptors + PartialResourceList->Count); + PnpBufferSizeLimit = Size - sizeof(CM_PARTIAL_RESOURCE_LIST); /* Set installation check data */ memcpy (Ptr, InstData, sizeof(CM_PNP_BIOS_INSTALLATION_CHECK)); Ptr += sizeof(CM_PNP_BIOS_INSTALLATION_CHECK); + PnpBufferSize = sizeof(CM_PNP_BIOS_INSTALLATION_CHECK); /* Copy device nodes */ FoundNodeCount = 0; - PnpBufferSize = sizeof(CM_PNP_BIOS_INSTALLATION_CHECK); for (i = 0; i < 0xFF; i++) { NodeNumber = (UCHAR)i; @@ -317,9 +317,9 @@ DetectPnpBios(PCONFIGURATION_COMPONENT_DATA SystemKey, ULONG *BusNumber) DeviceNode->Size, DeviceNode->Size); - if (PnpBufferSize + DeviceNode->Size > Size) + if (PnpBufferSize + DeviceNode->Size > PnpBufferSizeLimit) { - ERR("Buffer too small!\n"); + ERR("Buffer too small! Ignoring remaining device nodes.\n"); break; } @@ -379,7 +379,7 @@ GetHarddiskConfigurationData(UCHAR DriveNumber, ULONG* pSize) PartialResourceList = FrLdrHeapAlloc(Size, TAG_HW_RESOURCE_LIST); if (PartialResourceList == NULL) { - ERR("Failed to allocate a full resource descriptor\n"); + ERR("Failed to allocate resource descriptor\n"); return NULL; } @@ -1037,6 +1037,11 @@ DetectSerialPointerPeripheral(PCONFIGURATION_COMPONENT_DATA ControllerKey, Size = sizeof(CM_PARTIAL_RESOURCE_LIST) - sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR); PartialResourceList = FrLdrHeapAlloc(Size, TAG_HW_RESOURCE_LIST); + if (PartialResourceList == NULL) + { + ERR("Failed to allocate resource descriptor\n"); + return; + } memset(PartialResourceList, 0, Size); PartialResourceList->Version = 1; PartialResourceList->Revision = 1; @@ -1577,6 +1582,11 @@ DetectPS2Mouse(PCONFIGURATION_COMPONENT_DATA BusKey) TRACE("Detected PS2 port\n"); PartialResourceList = FrLdrHeapAlloc(sizeof(CM_PARTIAL_RESOURCE_LIST), TAG_HW_RESOURCE_LIST); + if (PartialResourceList == NULL) + { + ERR("Failed to allocate resource descriptor\n"); + return; + } memset(PartialResourceList, 0, sizeof(CM_PARTIAL_RESOURCE_LIST)); /* Initialize resource descriptor */ @@ -1613,6 +1623,11 @@ DetectPS2Mouse(PCONFIGURATION_COMPONENT_DATA BusKey) Size = sizeof(CM_PARTIAL_RESOURCE_LIST) - sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR); PartialResourceList = FrLdrHeapAlloc(Size, TAG_HW_RESOURCE_LIST); + if (PartialResourceList == NULL) + { + ERR("Failed to allocate resource descriptor\n"); + return; + } memset(PartialResourceList, 0, Size); PartialResourceList->Version = 1; PartialResourceList->Revision = 1;