[PATCH 2/2] ntdll: Improve invalid parameter handling in NtAccessCheck. (try 3)

[Alexandre Julliard]

Qian Hong <qhong at codeweavers.com> writes:

> @@ -1629,8 +1630,28 @@ NtAccessCheck(
>  
>          status = wine_server_call( req );
>  
> -        *ReturnLength = FIELD_OFFSET( PRIVILEGE_SET, Privilege ) + reply->privileges_len;
> -        PrivilegeSet->PrivilegeCount = reply->privileges_len / sizeof(LUID_AND_ATTRIBUTES);
> +        return_length = FIELD_OFFSET( PRIVILEGE_SET, Privilege ) + reply->privileges_len;
> +        if (return_length < sizeof(PRIVILEGE_SET))
> +            return_length = sizeof(PRIVILEGE_SET);
> +
> +        if (*ReturnLength == 0)
> +        {
> +            *ReturnLength = return_length;
> +            return STATUS_BUFFER_TOO_SMALL;
> +        }
> +
> +        if (!PrivilegeSet)
> +            return STATUS_ACCESS_VIOLATION;

It doesn't make sense to test this after it has already been passed to
the server, what's more with an invalid length.

-- 
Alexandre Julliard
julliard at winehq.org