From: Sebastian Lackner <sebastian@fds-team.de>
Subject: [2/4] advapi: Trigger write watches before passing userdata pointer to read syscall.
Message-Id: <542F5151.3040403@fds-team.de>
Date: Sat, 04 Oct 2014 03:45:53 +0200

No crash here, but the function could unexpectedly fail in this case. 

---
 dlls/advapi32/crypt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

From 7d9f628d8fa776d60c1f81d88cd1730c65d2f349 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Sat, 4 Oct 2014 02:38:27 +0200
Subject: advapi: Trigger write watches before passing userdata pointer to read
 syscall.

---
 dlls/advapi32/crypt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dlls/advapi32/crypt.c b/dlls/advapi32/crypt.c
index b2be5e3..50502b8 100644
--- a/dlls/advapi32/crypt.c
+++ b/dlls/advapi32/crypt.c
@@ -2378,7 +2378,8 @@ BOOLEAN WINAPI SystemFunction036(PVOID pbBuffer, ULONG dwLen)
     dev_random = open("/dev/urandom", O_RDONLY);
     if (dev_random != -1)
     {
-        if (read(dev_random, pbBuffer, dwLen) == (ssize_t)dwLen)
+        if (!IsBadWritePtr( pbBuffer, dwLen ) &&
+            read(dev_random, pbBuffer, dwLen) == (ssize_t)dwLen)
         {
             close(dev_random);
             return TRUE;
-- 
2.1.1