PATCH: ExtractAssociatedIconA buffer overflow

Marcus Meissner meissner at suse.de
Thu Jun 16 06:08:32 CDT 2005 

Hi,

In ExtractAssociatedIconA we need to allocate MAX_PATH WCHARs
before conversion, since the passed lpIconPath can and will be
overwritten by likely longer names.

My WideCharToMultiByte fu is not good, perhaps someone might adjust
the length params.

Ciao, Marcus

Changelog:
	Marcus Meissner <marcus at jet.franken.de>
	Allocate enough buffer in ExtractAssociatedIconA for
	a full path (associated executeable or similar).

Index: iconcache.c
===================================================================
RCS file: /home/wine/wine/dlls/shell32/iconcache.c,v
retrieving revision 1.89
diff -u -r1.89 iconcache.c
--- dlls/shell32/iconcache.c	20 May 2005 18:58:35 -0000	1.89
+++ dlls/shell32/iconcache.c	16 Jun 2005 07:07:59 -0000
@@ -640,7 +640,12 @@
 {	
     HICON hIcon = NULL;
     INT len = MultiByteToWideChar(CP_ACP, 0, lpIconPath, -1, NULL, 0);
-    LPWSTR lpIconPathW = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR));
+    /* Note that we need to allocate MAX_PATH, since we are supposed to fill
+     * the correct executable if there is no icon in lpIconPath directly.
+     * lpIconPath itself is supposed to be large enough, so make sure lpIconPathW
+     * is large enough too. Yes, I am puking too.
+     */
+    LPWSTR lpIconPathW = HeapAlloc(GetProcessHeap(), 0, MAX_PATH * sizeof(WCHAR));
 
     TRACE("%p %s %p\n", hInst, debugstr_a(lpIconPath), lpiIcon);
 
@@ -648,6 +653,7 @@
     {
         MultiByteToWideChar(CP_ACP, 0, lpIconPath, -1, lpIconPathW, len);
         hIcon = ExtractAssociatedIconW(hInst, lpIconPathW, lpiIcon);
+        WideCharToMultiByte(CP_ACP, 0, lpIconPathW,MAX_PATH, lpIconPath,MAX_PATH,NULL,NULL);
         HeapFree(GetProcessHeap(), 0, lpIconPathW);
     }
     return hIcon;
-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20050616/bb5518bb/attachment.pgp

More information about the wine-patches mailing list