PATCH: strange buffer overflow in profile
Marcus Meissner
marcus at jet.franken.de
Mon Jun 4 07:07:53 CDT 2001
Hi,
The PROFILE_GetSection() code could pass 0 or -1 to PROFILE_CopyEntry
which in turn confused it so it overwrote the end of the passed buffer.
Added implicit < 2 check in GetSection.
Ciao, Marcus
Changelog:
Check for enough buffer space in PROFILE_GetSection().
Index: files/profile.c
===================================================================
RCS file: /home/wine/wine/files/profile.c,v
retrieving revision 1.49
diff -u -r1.49 profile.c
--- files/profile.c 2001/05/09 17:31:34 1.49
+++ files/profile.c 2001/06/04 13:03:04
@@ -722,6 +798,8 @@
PROFILE_CopyEntry( buffer, key->name, len - 1, handle_env );
len -= strlen(buffer) + 1;
buffer += strlen(buffer) + 1;
+ if (len < 2)
+ break;
if (return_values && key->value) {
buffer[-1] = '=';
PROFILE_CopyEntry ( buffer,
More information about the wine-patches
mailing list