ntoskrnl.exe: Make IoAllocateIrp not crash on negative values.
Bernhard Übelacker
bernhardu at vr-web.de
Sun Mar 27 13:27:44 CDT 2016
https://bugs.winehq.org/show_bug.cgi?id=39734
Changes should avoid crash in acedrv11.sys.
IoAllocateIrp is called with a stack_size of -128.
Tested against Windows XP.
(See the test based on wine-staging "driver testing framework".)
Signed-off-by: Bernhard Übelacker <bernhardu at vr-web.de>
---
dlls/ntoskrnl.exe/ntoskrnl.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 36488a7..f2ccc61 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -592,15 +592,20 @@ PIRP WINAPI IoAllocateIrp( CCHAR stack_size, BOOLEAN charge_quota )
{
SIZE_T size;
PIRP irp;
+ CCHAR _stack_size = stack_size;
TRACE( "%d, %d\n", stack_size, charge_quota );
- size = sizeof(IRP) + stack_size * sizeof(IO_STACK_LOCATION);
+ if (_stack_size <= 0 || (_stack_size > 1 && stack_size < 8))
+ _stack_size = 8;
+
+ size = sizeof(IRP) + _stack_size * sizeof(IO_STACK_LOCATION);
irp = ExAllocatePool( NonPagedPool, size );
if (irp == NULL)
return NULL;
IoInitializeIrp( irp, size, stack_size );
- irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
+ if (stack_size >= 1 && stack_size <= 8)
+ irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
if (charge_quota)
irp->AllocationFlags |= IRP_LOOKASIDE_ALLOCATION;
return irp;
--
2.1.4
More information about the wine-patches
mailing list