From ce60eb845968d80e693566dd9bbf284fed31bc1c Mon Sep 17 00:00:00 2001
From: Octavian Voicu <octavian.voicu@gmail.com>
Date: Tue, 6 Sep 2011 15:23:42 +0300
Subject: [PATCH] ntdll: Fix two buffer overflow conditions in
 RtlDosPathNameToNtPathName_U.

---
 dlls/ntdll/path.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/dlls/ntdll/path.c b/dlls/ntdll/path.c
index 320772013b..6138fa88ca 100644
--- a/dlls/ntdll/path.c
+++ b/dlls/ntdll/path.c
@@ -383,8 +383,14 @@ BOOLEAN  WINAPI RtlDosPathNameToNtPathName_U(PCWSTR dos_path,
         if (!(ptr = RtlAllocateHeap(GetProcessHeap(), 0, sz))) return FALSE;
         sz = RtlGetFullPathName_U(dos_path, sz, ptr, file_part);
     }
+    sz += (1 /* NUL */ + 4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+    if (sz > MAXWORD)
+    {
+        if (ptr != local) RtlFreeHeap(GetProcessHeap(), 0, ptr);
+        return FALSE;
+    }
 
-    ntpath->MaximumLength = sz + (4 /* unc\ */ + 4 /* \??\ */) * sizeof(WCHAR);
+    ntpath->MaximumLength = sz;
     ntpath->Buffer = RtlAllocateHeap(GetProcessHeap(), 0, ntpath->MaximumLength);
     if (!ntpath->Buffer)
     {
-- 
2.32.0.93.g670b81a890