[PATCH] user.exe: Avoid truncating strcmp result (Coverity)
Marcus Meissner
marcus at jet.franken.de
Sat Jul 7 04:52:24 CDT 2012
Hi,
strcmp() might return a full 32bit wide difference in optimized
strcmp cases, so we need to avoid truncating the upper 16 bits.
(mysql security flaw resulting from such a truncation:
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
)
Ciao, Marcus
---
dlls/user.exe16/user.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/dlls/user.exe16/user.c b/dlls/user.exe16/user.c
index 705620b..c1064b3 100644
--- a/dlls/user.exe16/user.c
+++ b/dlls/user.exe16/user.c
@@ -2557,7 +2557,14 @@ INT16 WINAPIV wsprintf16( LPSTR buffer, LPCSTR spec, VA_LIST16 valist )
*/
INT16 WINAPI lstrcmp16( LPCSTR str1, LPCSTR str2 )
{
- return strcmp( str1, str2 );
+ int ret;
+ /* Looks too complicated, but in optimized strcpy we might get
+ * a 32bit wide difference and would truncate it to 16 bit, so
+ * erronously returning equality. */
+ ret = strcmp( str1, str2 );
+ if (ret < 0) return -1;
+ if (ret > 0) return 1;
+ return 0;
}
--
1.7.3.4
More information about the wine-patches
mailing list