Index: pool.c =================================================================== --- ntoskrnl/mm/ARM3/pool.c (revision 71358) +++ ntoskrnl/mm/ARM3/pool.c (working copy) @@ -24,7 +24,7 @@ KGUARDED_MUTEX MmPagedPoolMutex; MM_PAGED_POOL_INFO MmPagedPoolInfo; SIZE_T MmAllocatedNonPagedPool; -ULONG MmSpecialPoolTag; +ULONG MmSpecialPoolTag = 1; ULONG MmConsumedPoolPercentage; BOOLEAN MmProtectFreedNonPagedPool; SLIST_HEADER MiNonPagedPoolSListHead; Index: special.c =================================================================== --- ntoskrnl/mm/ARM3/special.c (revision 71358) +++ ntoskrnl/mm/ARM3/special.c (working copy) @@ -80,7 +80,7 @@ if (NumberOfBytes > (PAGE_SIZE - sizeof(POOL_HEADER))) return FALSE; - return Tag == MmSpecialPoolTag; + return TRUE; } BOOLEAN Index: id_ata.cpp =================================================================== --- drivers/storage/ide/uniata/id_ata.cpp (revision 71358) +++ drivers/storage/ide/uniata/id_ata.cpp (working copy) @@ -5923,13 +5923,24 @@ // for that also. if (srb->Cdb[0] == SCSIOP_READ_CAPACITY) { - AtaReq->DataBuffer -= wordCount; + AtaReq->DataBuffer -= AtaReq->WordsTransfered; + if (!MmIsAddressValid(AtaReq->DataBuffer) || + (PCHAR)AtaReq->DataBuffer < (PCHAR)srb->DataBuffer || + (PCHAR)AtaReq->DataBuffer > (PCHAR)srb->DataBuffer + srb->DataTransferLength - 3 * sizeof(USHORT)) + { + DbgPrint("Accessing DataBuffer for req %p at %p. Valid: %u\n", + AtaReq, AtaReq->DataBuffer, MmIsAddressValid(AtaReq->DataBuffer)); + DbgPrint("WordsLeft: %lu, WordsTransfered: %lu, wordCount: %lu\n", + AtaReq->WordsLeft, AtaReq->WordsTransfered, wordCount); + DbgPrint("SRB %p DataBuffer %p DataTransferLength %p\n", + srb, srb->DataBuffer, srb->DataTransferLength); + } if (AtaReq->DataBuffer[0] == 0x00) { *((ULONG *) &(AtaReq->DataBuffer[0])) = 0xFFFFFF7F; } *((ULONG *) &(AtaReq->DataBuffer[2])) = 0x00080000; - AtaReq->DataBuffer += wordCount; + AtaReq->DataBuffer += AtaReq->WordsTransfered; } #ifndef UNIATA_INIT_CHANGERS else