advapi32: fix a too small buffer in CredUnmarshalCredentialW [try2]
Stefan Leichter
Stefan.Leichter at camline.com
Wed Nov 14 12:26:04 CST 2012
Wednesday 14 November 2012 Hans Leidekker <hans at codeweavers.com>
> On Wed, 2012-11-14 at 16:28 +0100, Stefan Leichter wrote:
> > @@ -2053,6 +2053,8 @@ static BOOL cred_decode( const WCHAR *cred,
> > unsigned int len, char *buf )
> >
> > char c0, c1, c2, c3;
> > const WCHAR *p = cred;
> >
> > + TRACE("%s\n", debugstr_wn(cred,len));
>
> This string is already traced in CredUnmarshalCredentialW.
>
> > @@ -2134,6 +2136,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR cred,
> > PCRED_MARSHAL_TYPE type, PVO
> >
> > case UsernameTargetCredential:
> > {
> >
> > USERNAME_TARGET_CREDENTIAL_INFO *target;
> >
> > + ULONGLONG size = 0;
> >
> > if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
> > !size || size % sizeof(WCHAR)) {
>
> You should also perform a sanity check on 'size' to avoid overflow in
> calculations that follow.
I think it is the best when you start fixing your code yourself
More information about the wine-devel
mailing list