From 65c1bc4fd2a955e94ac1991b913b3534cc2bf085 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Tue, 10 Feb 2015 21:53:58 +0100
Subject: [PATCH] ntdll-DVD_Read_Size: Avoid dereferencing NULL pointer /
 accessing structure when size is invalid.

---
 ...ed-IOCTL_DVD_READ_STRUCTURE-expected.patch | 23 +++++++++++--------
 patches/patchinstall.sh                       |  2 +-
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/patches/ntdll-DVD_Read_Size/0001-ntdll-Fix-expected-IOCTL_DVD_READ_STRUCTURE-expected.patch b/patches/ntdll-DVD_Read_Size/0001-ntdll-Fix-expected-IOCTL_DVD_READ_STRUCTURE-expected.patch
index 7bbc1278..698c769a 100644
--- a/patches/ntdll-DVD_Read_Size/0001-ntdll-Fix-expected-IOCTL_DVD_READ_STRUCTURE-expected.patch
+++ b/patches/ntdll-DVD_Read_Size/0001-ntdll-Fix-expected-IOCTL_DVD_READ_STRUCTURE-expected.patch
@@ -1,22 +1,25 @@
-From 162a8926d371810046a9b651675672a4e9f6aeb2 Mon Sep 17 00:00:00 2001
+From 702df64368e9d8fbdeac60a5f0fd17f98cac139d Mon Sep 17 00:00:00 2001
 From: "Erich E. Hoover" <erich.e.hoover@gmail.com>
 Date: Mon, 22 Dec 2014 20:32:29 -0700
-Subject: ntdll: Fix expected IOCTL_DVD_READ_STRUCTURE expected output size.
+Subject: ntdll: Fix expected IOCTL_DVD_READ_STRUCTURE expected output size. (rev 2)
 
 ---
- dlls/ntdll/cdrom.c | 21 ++++++++++++++++++++-
- 1 file changed, 20 insertions(+), 1 deletion(-)
+ dlls/ntdll/cdrom.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
 
 diff --git a/dlls/ntdll/cdrom.c b/dlls/ntdll/cdrom.c
-index 62c3d16..7101e43 100644
+index 62c3d16..6ff120b 100644
 --- a/dlls/ntdll/cdrom.c
 +++ b/dlls/ntdll/cdrom.c
-@@ -2492,6 +2492,25 @@ static NTSTATUS DVD_GetRegion(int fd, PDVD_REGION region)
+@@ -2492,6 +2492,28 @@ static NTSTATUS DVD_GetRegion(int fd, PDVD_REGION region)
  #endif
  }
  
-+static DWORD DVD_ReadStructureSize(const DVD_READ_STRUCTURE *structure)
++static DWORD DVD_ReadStructureSize(const DVD_READ_STRUCTURE *structure, DWORD size)
 +{
++    if (!structure || size != sizeof(DVD_READ_STRUCTURE))
++        return 0;
++
 +    switch (structure->Format)
 +    {
 +    case DvdPhysicalDescriptor:
@@ -37,15 +40,15 @@ index 62c3d16..7101e43 100644
  /******************************************************************
   *		DVD_ReadStructure
   *
-@@ -3095,7 +3114,7 @@ NTSTATUS CDROM_DeviceIoControl(HANDLE hDevice,
+@@ -3095,7 +3117,7 @@ NTSTATUS CDROM_DeviceIoControl(HANDLE hDevice,
          status = DVD_GetRegion(fd, lpOutBuffer);
          break;
      case IOCTL_DVD_READ_STRUCTURE:
 -        sz = sizeof(DVD_LAYER_DESCRIPTOR);
-+        sz = DVD_ReadStructureSize(lpInBuffer);
++        sz = DVD_ReadStructureSize(lpInBuffer, nInBufferSize);
          if (lpInBuffer == NULL || nInBufferSize != sizeof(DVD_READ_STRUCTURE)) status = STATUS_INVALID_PARAMETER;
          else if (nOutBufferSize < sz || !lpOutBuffer) status = STATUS_BUFFER_TOO_SMALL;
          else
 -- 
-1.9.1
+2.2.2
 
diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh
index d10f99eb..5ff1b981 100755
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@@ -1975,7 +1975,7 @@ fi
 if test "$enable_ntdll_DVD_Read_Size" -eq 1; then
 	patch_apply ntdll-DVD_Read_Size/0001-ntdll-Fix-expected-IOCTL_DVD_READ_STRUCTURE-expected.patch
 	(
-		echo '+    { "Erich E. Hoover", "ntdll: Fix expected IOCTL_DVD_READ_STRUCTURE expected output size.", 1 },';
+		echo '+    { "Erich E. Hoover", "ntdll: Fix expected IOCTL_DVD_READ_STRUCTURE expected output size.", 2 },';
 	) >> "$patchlist"
 fi