Index: pool.c =================================================================== --- ntoskrnl/mm/ARM3/pool.c (revision 71358) +++ ntoskrnl/mm/ARM3/pool.c (working copy) @@ -24,7 +24,7 @@ KGUARDED_MUTEX MmPagedPoolMutex; MM_PAGED_POOL_INFO MmPagedPoolInfo; SIZE_T MmAllocatedNonPagedPool; -ULONG MmSpecialPoolTag; +ULONG MmSpecialPoolTag = 1; ULONG MmConsumedPoolPercentage; BOOLEAN MmProtectFreedNonPagedPool; SLIST_HEADER MiNonPagedPoolSListHead; Index: special.c =================================================================== --- ntoskrnl/mm/ARM3/special.c (revision 71358) +++ ntoskrnl/mm/ARM3/special.c (working copy) @@ -80,7 +80,7 @@ if (NumberOfBytes > (PAGE_SIZE - sizeof(POOL_HEADER))) return FALSE; - return Tag == MmSpecialPoolTag; + return TRUE; } BOOLEAN Index: id_ata.cpp =================================================================== --- drivers/storage/ide/uniata/id_ata.cpp (revision 71358) +++ drivers/storage/ide/uniata/id_ata.cpp (working copy) @@ -5924,6 +5924,17 @@ if (srb->Cdb[0] == SCSIOP_READ_CAPACITY) { AtaReq->DataBuffer -= wordCount; + if (!MmIsAddressValid(AtaReq->DataBuffer) || + (PCHAR)AtaReq->DataBuffer < (PCHAR)srb->DataBuffer || + (PCHAR)AtaReq->DataBuffer > (PCHAR)srb->DataBuffer + srb->DataTransferLength - 3 * sizeof(USHORT)) + { + DbgPrint("Accessing DataBuffer for req %p at %p. Valid: %u\n", + AtaReq, AtaReq->DataBuffer, MmIsAddressValid(AtaReq->DataBuffer)); + DbgPrint("WordsLeft: %lu, WordsTransfered: %lu, wordCount: %lu\n", + AtaReq->WordsLeft, AtaReq->WordsTransfered, wordCount); + DbgPrint("SRB %p DataBuffer %p DataTransferLength %p\n", + srb, srb->DataBuffer, srb->DataTransferLength); + } if (AtaReq->DataBuffer[0] == 0x00) { *((ULONG *) &(AtaReq->DataBuffer[0])) = 0xFFFFFF7F; }