I identified 4 issues in the FsRtlIsNameInExpressionPrivate function.
- Overflow of the BackTrackingBuffer stack buffer by 2 bytes.
Triggered by input: Expression="FI<<<<<<<<", Name="FILE"
Bug found with afl-fuzz.
- Logic error that can result in inadvertently swapping the contents of BackTracking and OldBackTracking.
Triggered by input: Expression="<<<<<<<<<.<", Name="."
Bug found by myself, triggering input found with afl-fuzz.
- Incorrect handling of DOS_STAR due to a logic bug. It causes DontSkipDot to be always set to FALSE whenever the for loop is entered, effectively rendering DOS_STAR equivalent to regular star (*).
Triggered by input: Expression="F<", Name="FILE.TXT"
- Excessive buffer allocation by a factor of 2. The following loop exit condition should make it clear that BackTrackingBufferSize need not be larger than Expression->Length + 1: