[PATCH] msvcrt: fix character/byte confusion in buffer overflow branch

Max Kellermann max at duempel.org
Mon May 6 14:26:10 CDT 2013


The first memcpy() call in puts_clbk_str_w() confuses character count
and byte count.  It uses the number of characters (out->len) as number
of bytes.  This leaves half of the buffer undefined.

Interestingly, the second memcpy() call in the same function is
correct.

This bug potentially makes applications expose internal (secret) data.
Usually, the destination buffer is on the stack, and the stack often
contains secrets.  Therefore, one could argue that this bug
constitutes a security vulnerability.
---
 dlls/msvcrt/printf.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/msvcrt/printf.h b/dlls/msvcrt/printf.h
index cfba4b7..8b749bc 100644
--- a/dlls/msvcrt/printf.h
+++ b/dlls/msvcrt/printf.h
@@ -48,7 +48,7 @@ static int FUNC_NAME(puts_clbk_str)(void *ctx, int len, const APICHAR *str)
         return len;
 
     if(out->len < len) {
-        memcpy(out->buf, str, out->len);
+        memcpy(out->buf, str, out->len*sizeof(APICHAR));
         out->buf += out->len;
         out->len = 0;
         return -1;




More information about the wine-devel mailing list