=?UTF-8?Q?Bernhard=20=C3=9Cbelacker=20?=: ntoskrnl.exe: Make IoAllocateIrp not crash on negative values.

[Alexandre Julliard]

Module: wine
Branch: stable
Commit: 7a09ac7f94fb7fbb07fa6359cd406daa48d38d6a
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=7a09ac7f94fb7fbb07fa6359cd406daa48d38d6a

Author: Bernhard Übelacker <bernhardu at vr-web.de>
Date:   Tue Mar 29 22:13:16 2016 +0200

ntoskrnl.exe: Make IoAllocateIrp not crash on negative values.

Signed-off-by: Bernhard Übelacker <bernhardu at vr-web.de>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
(cherry picked from commit 64aec5d8dbae329958b9b677d3289de78142e289)
Signed-off-by: Michael Stefaniuc <mstefani at winehq.org>

---

 dlls/ntoskrnl.exe/ntoskrnl.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 904d66a..1a5fe11 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -592,15 +592,20 @@ PIRP WINAPI IoAllocateIrp( CCHAR stack_size, BOOLEAN charge_quota )
 {
     SIZE_T size;
     PIRP irp;
+    CCHAR loc_count = stack_size;
 
     TRACE( "%d, %d\n", stack_size, charge_quota );
 
-    size = sizeof(IRP) + stack_size * sizeof(IO_STACK_LOCATION);
+    if (loc_count < 8 && loc_count != 1)
+        loc_count = 8;
+
+    size = sizeof(IRP) + loc_count * sizeof(IO_STACK_LOCATION);
     irp = ExAllocatePool( NonPagedPool, size );
     if (irp == NULL)
         return NULL;
     IoInitializeIrp( irp, size, stack_size );
-    irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
+    if (stack_size >= 1 && stack_size <= 8)
+        irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
     if (charge_quota)
         irp->AllocationFlags |= IRP_LOOKASIDE_ALLOCATION;
     return irp;