[PATCH] setupx.dll16: Avoid strcmp() result truncation (Coverity)
Marcus Meissner
marcus at jet.franken.de
Sat Jul 7 04:52:22 CDT 2012
Hi,
strcmp() might return a full 32bit wide difference in optimized
strcmp cases, so we need to avoid truncating the upper 16 bits.
(mysql security flaw resulting from such a truncation:
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
)
Ciao, Marcus
---
dlls/setupx.dll16/virtcopy.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/dlls/setupx.dll16/virtcopy.c b/dlls/setupx.dll16/virtcopy.c
index a718ac9..773202e 100644
--- a/dlls/setupx.dll16/virtcopy.c
+++ b/dlls/setupx.dll16/virtcopy.c
@@ -591,9 +591,17 @@ static void VCP_UI_RegisterProgressClass(void)
static RETERR16 VCP_UI_NodeCompare(LPVIRTNODE vn1, LPVIRTNODE vn2)
{
LPCSTR file1, file2;
+ int ret;
file1 = vsmGetStringRawName16(vn1->vfsSrc.vhstrFileName);
file2 = vsmGetStringRawName16(vn2->vfsSrc.vhstrFileName);
- return (RETERR16)strcmp(file1, file2);
+
+ ret = strcmp(file1, file2);
+ /* Looks too complicated, but in optimized strcpy we might get
+ * a 32bit wide difference and would truncate it to 16 bit, so
+ * erronously returning equality. */
+ if (ret < 0) return -1;
+ if (ret > 0) return 1;
+ return 0;
}
static RETERR16 VCP_UI_CopyStart(void)
--
1.7.3.4
More information about the wine-patches
mailing list