ntoskrnl.exe: Make IoAllocateIrp not crash on negative values. (try 2)

[Bernhard Übelacker]

https://bugs.winehq.org/show_bug.cgi?id=39734

This patch should avoid crash in acedrv11.sys.
IoAllocateIrp is called with a stack_size of -128.
Therefore ExAllocatePool gets a negative size value.

Tested against Windows XP.
(See the test based on wine-staging "driver testing framework" attached to the bug.)
( https://newtestbot.winehq.org/JobDetails.pl?Key=21722 testrun by Sebastian Lackner.)

Try 1: https://www.winehq.org/pipermail/wine-patches/2016-March/148587.html
Review 1: https://www.winehq.org/pipermail/wine-devel/2016-March/112476.html

Changes since try 1:
- Fix usage of wrong variable.
- Use a better name for variable.
- Simplify if statement.

Signed-off-by: Bernhard Übelacker <bernhardu at vr-web.de>
---
 dlls/ntoskrnl.exe/ntoskrnl.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 36488a7..e0de9ef 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -592,15 +592,20 @@ PIRP WINAPI IoAllocateIrp( CCHAR stack_size, BOOLEAN charge_quota )
 {
     SIZE_T size;
     PIRP irp;
+    CCHAR loc_count = stack_size;
 
     TRACE( "%d, %d\n", stack_size, charge_quota );
 
-    size = sizeof(IRP) + stack_size * sizeof(IO_STACK_LOCATION);
+    if (loc_count < 8 && loc_count != 1)
+        loc_count = 8;
+
+    size = sizeof(IRP) + loc_count * sizeof(IO_STACK_LOCATION);
     irp = ExAllocatePool( NonPagedPool, size );
     if (irp == NULL)
         return NULL;
     IoInitializeIrp( irp, size, stack_size );
-    irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
+    if (stack_size >= 1 && stack_size <= 8)
+        irp->AllocationFlags = IRP_ALLOCATED_FIXED_SIZE;
     if (charge_quota)
         irp->AllocationFlags |= IRP_LOOKASIDE_ALLOCATION;
     return irp;
-- 
2.1.4