Skip to content

Commit 1fe60e8

Browse files
Holt59Holt59
committed
Limit buffer length to USHORT in NtQueryObject.
1 parent 0601cb8 commit 1fe60e8

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

src/usvfs_dll/hooks/ntdll.cpp

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1050,7 +1050,7 @@ DLLEXPORT NTSTATUS WINAPI usvfs::hook_NtQueryObject(
10501050
HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass,
10511051
PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength)
10521052
{
1053-
NTSTATUS res;
1053+
NTSTATUS res = STATUS_SUCCESS;
10541054

10551055
HOOK_START_GROUP(MutExHookGroup::FILE_ATTRIBUTES)
10561056
if (!callContext.active()) {
@@ -1091,7 +1091,7 @@ DLLEXPORT NTSTATUS WINAPI usvfs::hook_NtQueryObject(
10911091
std::wstring buffer(static_cast<LPCWSTR>(trackerInfo));
10921092
buffer[6] = L'\0';
10931093

1094-
const auto charCount = QueryDosDeviceW(buffer.data() + 4, deviceName, ARRAYSIZE(deviceName));
1094+
QueryDosDeviceW(buffer.data() + 4, deviceName, ARRAYSIZE(deviceName));
10951095

10961096
buffer =
10971097
std::wstring(deviceName) + L'\\' + std::wstring(buffer.data() + 7, buffer.size() - 7);
@@ -1107,25 +1107,26 @@ DLLEXPORT NTSTATUS WINAPI usvfs::hook_NtQueryObject(
11071107
}
11081108

11091109
if (ReturnLength) {
1110-
*ReturnLength = requiredLength;
1110+
*ReturnLength = static_cast<ULONG>(requiredLength);
11111111
}
11121112
} else {
11131113
// put the unicode buffer at the end of the object
1114-
const auto unicodeBufferLength =
1115-
ObjectInformationLength - sizeof(OBJECT_NAME_INFORMATION);
1114+
const USHORT unicodeBufferLength = static_cast<USHORT>(std::min(
1115+
static_cast<unsigned long long>(std::numeric_limits<USHORT>::max()),
1116+
static_cast<unsigned long long>(ObjectInformationLength - sizeof(OBJECT_NAME_INFORMATION))));
11161117
LPWSTR unicodeBuffer = reinterpret_cast<LPWSTR>(
11171118
static_cast<LPSTR>(ObjectInformation) + sizeof(OBJECT_NAME_INFORMATION));
11181119

11191120
// copy the path into the buffer
1120-
wmemcpy(unicodeBuffer, buffer.data(), buffer.size());
1121+
wmemcpy_s(unicodeBuffer, unicodeBufferLength, buffer.data(), buffer.size());
11211122

11221123
// set the null character
11231124
unicodeBuffer[buffer.size()] = L'\0';
11241125

11251126
// update the actual unicode string
11261127
info->Name.Buffer = unicodeBuffer;
11271128
info->Name.Length = static_cast<USHORT>(buffer.size() * 2);
1128-
info->Name.MaximumLength = static_cast<USHORT>(unicodeBufferLength);
1129+
info->Name.MaximumLength = unicodeBufferLength;
11291130

11301131
res = STATUS_SUCCESS;
11311132
}
@@ -1156,7 +1157,7 @@ DLLEXPORT NTSTATUS WINAPI usvfs::hook_NtQueryInformationFile(
11561157
HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation,
11571158
ULONG Length, FILE_INFORMATION_CLASS FileInformationClass)
11581159
{
1159-
NTSTATUS res;
1160+
NTSTATUS res = STATUS_SUCCESS;
11601161

11611162
HOOK_START_GROUP(MutExHookGroup::FILE_ATTRIBUTES)
11621163
if (!callContext.active()) {
@@ -1217,7 +1218,7 @@ DLLEXPORT NTSTATUS WINAPI usvfs::hook_NtQueryInformationFile(
12171218

12181219
// not using SetInfoFilename because the length is not set and we do not need to
12191220
// 0-out the memory here
1220-
info->FileNameLength = (trackerInfo.size() - 6) * 2;
1221+
info->FileNameLength = static_cast<ULONG>((trackerInfo.size() - 6) * 2);
12211222
wmemcpy(info->FileName, filenameFixed, trackerInfo.size() - 6);
12221223
res = STATUS_SUCCESS;
12231224

0 commit comments

Comments
 (0)