From b6fdb6cbaa88ccfe903a420b09e5d233f2f09d52 Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Wed, 24 Jan 2024 01:48:07 +0000
Subject: __ntapi_tt_spawn_native_process(): refactor buffer size accounting.

---
 src/process/ntapi_tt_spawn_native_process.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/src/process/ntapi_tt_spawn_native_process.c b/src/process/ntapi_tt_spawn_native_process.c
index b69c2f1..56007e1 100644
--- a/src/process/ntapi_tt_spawn_native_process.c
+++ b/src/process/ntapi_tt_spawn_native_process.c
@@ -82,6 +82,7 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 	wchar16_t **			pwarg;
 	wchar16_t *			wenv;
 	wchar16_t *			wch;
+	wchar16_t *			wcap;
 	void *				hchild[2];
 	wchar16_t *			imgbuf;
 	uint32_t			fsuspended;
@@ -188,10 +189,12 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 
 	imgname = (nt_unicode_string *)imgbuf;
 
-	/* argv, envp */
+	/* imgbuf must remain intact until after creation of the child process */
 	buflen  = rtblock.size;
 	buflen -= sizeof(*rdata);
+	buflen -= __SPAWN_NATIVE_PROCESS_RUNTIME_BLOCK_IMGBUF_SIZE;
 
+	/* argv, envp */
 	if ((status = __ntapi->tt_array_copy_utf8(
 			&rdata->argc,
 			(const char **)sparams->argv,
@@ -222,13 +225,11 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 	pwarg = rdata->wenvp + rdata->envc + 1;
 	wch   = (wchar16_t *)pwarg;
 
-	if ((written = (uintptr_t)wch - (uintptr_t)rdata) > rtblock.size)
-		return __tt_spawn_return(
-			&rtblock,himgfile,0,0,
-			NT_STATUS_BUFFER_TOO_SMALL);
+	wcap  = (wchar16_t *)rtblock.addr;
+	wcap += rtblock.size / sizeof(wchar16_t);
 
-	buflen  = rtblock.size;
-	buflen -= written;
+	buflen  = (wcap - wch) * sizeof(wchar16_t);
+	buflen -= __SPAWN_NATIVE_PROCESS_RUNTIME_BLOCK_IMGBUF_SIZE;
 
 	if ((status = __ntapi->tt_array_convert_utf8_to_utf16(
 			rargv,
@@ -239,7 +240,7 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 			&rtblock,himgfile,0,0,
 			status);
 
-	wch    += written/sizeof(wchar16_t);
+	wch    += written / sizeof(wchar16_t);
 	buflen -= written;
 
 	if ((status = __ntapi->tt_array_convert_utf8_to_utf16(
@@ -255,7 +256,7 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 	rdata->wenvp -= (uintptr_t)rtblock.addr / sizeof(wchar16_t *);
 
 	wenv    = wch;
-	wch    += written/sizeof(wchar16_t);
+	wch    += written / sizeof(wchar16_t);
 	buflen -= written;
 
 	/* w32 environment */
@@ -302,11 +303,6 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 		buflen -= needed;
 	}
 
-	if (buflen < __SPAWN_NATIVE_PROCESS_RUNTIME_BLOCK_IMGBUF_SIZE)
-		return __tt_spawn_return(
-			&rtblock,himgfile,0,0,
-			NT_STATUS_BUFFER_TOO_SMALL);
-
 	/* session */
 	if (sparams->hready) {
 		if ((status = __ntapi->zw_duplicate_object(
-- 
cgit v1.2.3