From c080568a52db75d56712adfcc93c22f08411f2ea Mon Sep 17 00:00:00 2001
From: Doczom <Doczom@kolibrios.org>
Date: Sun, 9 May 2021 14:17:55 +0000
Subject: [PATCH] fixed vulnerability (kernel memory rewrite) in sysfn 4

git-svn-id: svn://kolibrios.org@8715 a494cfbc-eb01-0410-851d-a64ba20cac60
---
 kernel/trunk/kernel.asm | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/kernel/trunk/kernel.asm b/kernel/trunk/kernel.asm
index 07009fcb3f..04aa13c1d7 100644
--- a/kernel/trunk/kernel.asm
+++ b/kernel/trunk/kernel.asm
@@ -4441,6 +4441,15 @@ sys_putimage_palette:
 ; esi = number of bits per pixel, must be 8, 24 or 32
 ; edi = pointer to palette
 ; ebp = row delta
+; check pointer
+        push    ecx
+        mov     ax, cx
+        shr     ecx, 16
+        imul    eax, ecx
+        stdcall is_region_userspace, ebx, eax
+        pop     ecx
+        jz      sys_putimage.exit
+
         mov     eax, [CURRENT_TASK]
         shl     eax, 8
         add     dx, word [eax+SLOT_BASE+APPDATA.wnd_clientbox.top]
@@ -5193,6 +5202,9 @@ align 4
 
 syscall_writetext:                      ; WriteText
 
+        stdcall is_region_userspace, edx, esi
+        jz      .err
+
         mov     eax, [TASK_BASE]
         mov     ebp, [eax-twdw+WDATA.box.left]
         push    esi
@@ -5209,10 +5221,17 @@ align 4
 @@:
         mov     eax, edi
         test    ecx, 0x08000000  ; redirect the output to the user area
-        jnz     dtext
+        jnz     @f
         xor     edi, edi
         jmp     dtext
 
+@@:     ;  check pointer
+        stdcall is_region_userspace, edi, 0
+        jz      .err
+        jmp     dtext
+.err:
+        ret
+
 align 4
 
 syscall_drawrect:                       ; DrawRect