From: Qian Hong Subject: [PATCH 3/7] advapi32: Prepend a hidden LSA_TRUST_INFORMATION in LsaLookupNames2 to avoid crash when Domains[-1] incorrectly accessed by application. (try 2) Message-Id: <552368CA.3060107@codeweavers.com> Date: Tue, 07 Apr 2015 13:19:06 +0800 --- dlls/advapi32/lsa.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c index 56f533d..ef54400 100644 --- a/dlls/advapi32/lsa.c +++ b/dlls/advapi32/lsa.c @@ -404,14 +404,17 @@ NTSTATUS WINAPI LsaLookupNames2( LSA_HANDLE policy, ULONG flags, ULONG count, sid = (SID *)(*sids + count); /* use maximum domain count */ - if (!(*domains = heap_alloc(sizeof(LSA_REFERENCED_DOMAIN_LIST) + sizeof(LSA_TRUST_INFORMATION)*count + - sid_size_total + domainname_size_total*sizeof(WCHAR)))) + if (!(*domains = heap_alloc(sizeof(LSA_REFERENCED_DOMAIN_LIST) + sizeof(LSA_TRUST_INFORMATION) * (count + 1) + + sid_size_total + domainname_size_total * sizeof(WCHAR)))) { heap_free(*sids); return STATUS_NO_MEMORY; } (*domains)->Entries = 0; - (*domains)->Domains = (LSA_TRUST_INFORMATION*)((char*)*domains + sizeof(LSA_REFERENCED_DOMAIN_LIST)); + (*domains)->Domains = (LSA_TRUST_INFORMATION*)((char*)*domains + sizeof(LSA_REFERENCED_DOMAIN_LIST) + sizeof(LSA_TRUST_INFORMATION)); + (*domains)->Domains[-1].Sid = NULL; + RtlInitUnicodeStringEx(&(*domains)->Domains[-1].Name, NULL); + domain_data = (char*)(*domains)->Domains + sizeof(LSA_TRUST_INFORMATION)*count; domain.Buffer = heap_alloc(domain_size_max*sizeof(WCHAR));