https://git.reactos.org/?p=reactos.git;a=commitdiff;h=d96b3cd45c888d7e37c9207dbb44321fc47bfec9
commit d96b3cd45c888d7e37c9207dbb44321fc47bfec9
Author: Oleg Dubinskiy <oleg.dubinski...@gmail.com>
AuthorDate: Fri Oct 6 12:36:09 2023 +0200
Commit: GitHub <nore...@github.com>
CommitDate: Fri Oct 6 12:36:09 2023 +0200
[KS] Fix bug in KsStreamIo (#4663)
Properly set output buffer length in IO Stack Location of the current IRP,
since it is passed to KsProbeStreamIrp when calling KsStreamIo, so it fails if
the length isn't set properly.
Don't set an input buffer length and the buffer itself, since it isn't
passed anywhere, so setting it makes no sense. Moreover, MSDN says that for
IOCTL_KS_READ/WRITE_STREAM, only output buffer (and its length) is needed to be
set, but not an input one. So it indeed is more correct.
It fixes buffer overflow in KsProbeStreamIrp when attempting to perform the
streaming via KsStreamIo. I discovered this bug during my audio refactoring
from PR #4660.
---
drivers/ksfilter/ks/irp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/ksfilter/ks/irp.c b/drivers/ksfilter/ks/irp.c
index ab5d1b21523..91302e67299 100644
--- a/drivers/ksfilter/ks/irp.c
+++ b/drivers/ksfilter/ks/irp.c
@@ -634,8 +634,7 @@ KsStreamIo(
IoStack = IoGetNextIrpStackLocation(Irp);
/* setup stack parameters */
IoStack->FileObject = FileObject;
- IoStack->Parameters.DeviceIoControl.InputBufferLength = Length;
- IoStack->Parameters.DeviceIoControl.Type3InputBuffer = StreamHeaders;
+ IoStack->Parameters.DeviceIoControl.OutputBufferLength = Length;
IoStack->Parameters.DeviceIoControl.IoControlCode = (Flags ==
KSSTREAM_READ ? IOCTL_KS_READ_STREAM : IOCTL_KS_WRITE_STREAM);
if (CompletionRoutine)
