Fixed a number of buffer overflows (based on limits of Windows cmd.exe): - Each of param1 and param2 can be almost as long as MAXSTRING(actually a few characters shorter) so their length was changed. - Fixed an overflow with long program names(aka stemofsearch), it can't be equal to or longer than MAX_PATH. - Fixed an overflow in WCMD_DumpCommands with long commands by removing the fixed-length buffer and using WINE_TRACE instead of buffer+sprintf.
Diaa Sami
diaasami at gmail.com
Wed Feb 4 09:11:03 CST 2009
---
programs/cmd/wcmdmain.c | 27 ++++++++++++++++-----------
1 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c
index 4bbd72e..f50c0ae 100644
--- a/programs/cmd/wcmdmain.c
+++ b/programs/cmd/wcmdmain.c
@@ -88,7 +88,7 @@ static const WCHAR equalsW[] = {'=','\0'};
static const WCHAR closeBW[] = {')','\0'};
WCHAR anykey[100];
WCHAR version_string[100];
-WCHAR quals[MAX_PATH], param1[MAX_PATH], param2[MAX_PATH];
+WCHAR quals[MAX_PATH], param1[MAXSTRING], param2[MAXSTRING];
BATCH_CONTEXT *context = NULL;
extern struct env_stack *pushd_directories;
static const WCHAR *pagedMessage = NULL;
@@ -972,7 +972,8 @@ void WCMD_run_program (WCHAR *command, int called) {
WCHAR temp[MAX_PATH];
WCHAR pathtosearch[MAXSTRING];
WCHAR *pathposn;
- WCHAR stemofsearch[MAX_PATH];
+ WCHAR stemofsearch[MAX_PATH]; // maximum allowed executable name is
+ // MAX_PATH, including null character
WCHAR *lastSlash;
WCHAR pathext[MAXSTRING];
BOOL extensionsupplied = FALSE;
@@ -998,6 +999,15 @@ void WCMD_run_program (WCHAR *command, int called) {
strcpyW (pathtosearch, curDir);
}
if (strchrW(param1, '.') != NULL) extensionsupplied = TRUE;
+ if (strlenW(param1) >= MAX_PATH)
+ {
+ const WCHAR c[] = {'T','h','e',' ','i','n','p','u','t',' ',
+ 'l','i','n','e',' ','i','s',' ','t','o','o',' ',
+ 'l','o','n','g','.','\n','\0'};
+ WCMD_output_asis (c);
+ return;
+ }
+
strcpyW(stemofsearch, param1);
} else {
@@ -1584,22 +1594,17 @@ WCHAR *WCMD_LoadMessage(UINT id) {
* Dumps out the parsed command line to ensure syntax is correct
*/
static void WCMD_DumpCommands(CMD_LIST *commands) {
- WCHAR buffer[MAXSTRING];
CMD_LIST *thisCmd = commands;
- const WCHAR fmt[] = {'%','p',' ','%','d',' ','%','2','.','2','d',' ',
- '%','p',' ','%','s',' ','R','e','d','i','r',':',
- '%','s','\0'};
-
+
WINE_TRACE("Parsed line:\n");
while (thisCmd != NULL) {
- sprintfW(buffer, fmt,
+ WINE_TRACE("%p %d %2.2d %p %s Redir:%s\n",
thisCmd,
thisCmd->prevDelim,
thisCmd->bracketDepth,
thisCmd->nextcommand,
- thisCmd->command,
- thisCmd->redirects);
- WINE_TRACE("%s\n", wine_dbgstr_w(buffer));
+ wine_dbgstr_w(thisCmd->command),
+ wine_dbgstr_w(thisCmd->redirects));
thisCmd = thisCmd->nextcommand;
}
}
--
1.5.6.3
More information about the wine-patches
mailing list