Juan Lang : shell32: Check size of input parameters before copying to fixed length buffers.
Alexandre Julliard
julliard at winehq.org
Mon Oct 17 13:08:55 CDT 2011
Module: wine
Branch: master
Commit: 726acf0f4a0c71a0a12ad089b41d9ea1bd3e1d89
URL: http://source.winehq.org/git/wine.git/?a=commit;h=726acf0f4a0c71a0a12ad089b41d9ea1bd3e1d89
Author: Juan Lang <juan.lang at gmail.com>
Date: Sun Oct 16 13:07:05 2011 -0700
shell32: Check size of input parameters before copying to fixed length buffers.
---
dlls/shell32/shlexec.c | 34 +++++++++++++++++++++++++++++++++-
1 files changed, 33 insertions(+), 1 deletions(-)
diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c
index 3f7a170..b25a04b 100644
--- a/dlls/shell32/shlexec.c
+++ b/dlls/shell32/shlexec.c
@@ -788,14 +788,25 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
WCHAR * exec;
DWORD ddeInst = 0;
DWORD tid;
- DWORD resultLen;
+ DWORD resultLen, endkeyLen;
HSZ hszApp, hszTopic;
HCONV hConv;
HDDEDATA hDdeData;
unsigned ret = SE_ERR_NOASSOC;
BOOL unicode = !(GetVersion() & 0x80000000);
+ if (strlenW(key) + 1 > sizeof(regkey) / sizeof(regkey[0]))
+ {
+ FIXME("input parameter %s larger than buffer\n", debugstr_w(key));
+ return 2;
+ }
strcpyW(regkey, key);
+ endkeyLen = sizeof(regkey) / sizeof(regkey[0]) - (endkey - regkey);
+ if (strlenW(wApplication) + 1 > endkeyLen)
+ {
+ FIXME("endkey %s overruns buffer\n", debugstr_w(wApplication));
+ return 2;
+ }
strcpyW(endkey, wApplication);
applen = sizeof(app);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, app, &applen) != ERROR_SUCCESS)
@@ -809,6 +820,12 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
/* Get application command from start string and find filename of application */
if (*start == '"')
{
+ if (strlenW(start + 1) + 1 > sizeof(command) / sizeof(command[0]))
+ {
+ FIXME("size of input parameter %s larger than buffer\n",
+ debugstr_w(start + 1));
+ return 2;
+ }
strcpyW(command, start+1);
if ((ptr = strchrW(command, '"')))
*ptr = 0;
@@ -835,6 +852,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
ERR("Unable to find application path for command %s\n", debugstr_w(start));
return ERROR_ACCESS_DENIED;
}
+ if (strlenW(ptr) + 1 > sizeof(app) / sizeof(app[0]))
+ {
+ FIXME("size of found path %s larger than buffer\n", debugstr_w(ptr));
+ return 2;
+ }
strcpyW(app, ptr);
/* Remove extensions (including .so) */
@@ -848,6 +870,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
*ptr = 0;
}
+ if (strlenW(wTopic) + 1 > endkeyLen)
+ {
+ FIXME("endkey %s overruns buffer\n", debugstr_w(wTopic));
+ return 2;
+ }
strcpyW(endkey, wTopic);
topiclen = sizeof(topic);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, topic, &topiclen) != ERROR_SUCCESS)
@@ -890,6 +917,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec
SetLastError(ERROR_DDE_FAIL);
return 30; /* whatever */
}
+ if (strlenW(wIfexec) + 1 > endkeyLen)
+ {
+ FIXME("endkey %s overruns buffer\n", debugstr_w(wIfexec));
+ return 2;
+ }
strcpyW(endkey, wIfexec);
ifexeclen = sizeof(ifexec);
if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, ifexec, &ifexeclen) == ERROR_SUCCESS)
More information about the wine-cvs
mailing list