ntdll: Fix two buffer overflow conditions in RtlDosPathNameToNtPathName_U.

[Octavian Voicu]

First one is an off-by-one error: RtlGetFullPathName_U, on success, returns
the number of bytes written, without counting the terminating NULL. The
allocated size for ntpath->Buffer didn't account for that NULL byte, so
for UNC paths the NULL byte would be overflown.

Second one is caused by an USHORT overflow in ntpath->MaximumLength.
Calling the function with a path longer than 65535-8 bytes would allocate
a much shorter buffer and lead to a buffer overflow.

--
Steps to reproduce second issue are described here:
http://packetstormsecurity.org/files/view/76170/wine-overflow.txt

Funny fact: Windows had the same USHORT overflow bug:
http://www.securityfocus.com/archive/1/323508
---
 dlls/ntdll/path.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/dlls/ntdll/path.c b/dlls/ntdll/path.c
index 3207720..6138fa8 100644
--- a/dlls/ntdll/path.c
+++ b/dlls/ntdll/path.c
@@ -383,8 +383,14 @@ BOOLEAN  WINAPI RtlDosPathNameToNtPathName_U(PCWSTR dos_path,
         if (!(ptr = RtlAllocateHeap(GetProcessHeap(), 0, sz))) return FALSE;
         sz = RtlGetFullPathName_U(dos_path, sz, ptr, file_part);
     }
+    sz += (1 /* NUL */ + 4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+    if (sz > MAXWORD)
+    {
+        if (ptr != local) RtlFreeHeap(GetProcessHeap(), 0, ptr);
+        return FALSE;
+    }
 
-    ntpath->MaximumLength = sz + (4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+    ntpath->MaximumLength = sz;
     ntpath->Buffer = RtlAllocateHeap(GetProcessHeap(), 0, ntpath->MaximumLength);
     if (!ntpath->Buffer)
     {
-- 
1.7.4.1