http://bugs.winehq.org/show_bug.cgi?id=21344
Summary: Buffer overflow in WCMD_run_program Product: Wine Version: 1.1.36 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: cmd AssignedTo: [email protected] ReportedBy: [email protected]
The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir without checking the size:
/* Work on the first directory on the search path */ pos = strchrW(pathposn, ';'); if (pos) { memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR)); thisDir[(pos-pathposn)] = 0x00; pathposn = pos+1;
} else { strcpyW(thisDir, pathposn); pathposn = NULL; }
The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH.
To reproduce:
$ wine cmd /c 'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo' err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip 7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #1 from Dima Ryazanov [email protected] 2010-01-12 12:37:10 --- This also happens in completely legitimate cases - when the command has as a long argument list that contains backslashes.
http://bugs.winehq.org/show_bug.cgi?id=21344
Austin English [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, testcase
http://bugs.winehq.org/show_bug.cgi?id=21344
Jason Edmeades [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected]
http://bugs.winehq.org/show_bug.cgi?id=21344
Dan Kegel [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |[email protected] Ever Confirmed|0 |1
--- Comment #2 from Dan Kegel [email protected] 2010-01-24 14:04:18 --- By the way, bug 13469 was also about buffer overflows. We should probably have a conformance/regression test that checks all of those examples, in addition to the one Dima gave. (Dima ran into this running a scons script, see bug 18346.)
Getting ambitious, we might want to write test cases to tickle every unchecked strcpyW/strcatW in wine's cmd.
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #3 from [email protected] 2010-03-03 22:49:08 --- Created an attachment (id=26587) --> (http://bugs.winehq.org/attachment.cgi?id=26587) patch for fixing overflow in WCMD_run_program
http://bugs.winehq.org/show_bug.cgi?id=21344
Frédéric Delanoy [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected]
--- Comment #4 from Frédéric Delanoy [email protected] 2011-07-25 17:50:32 CDT --- (In reply to comment #3)
Created an attachment (id=26587)
--> (http://bugs.winehq.org/attachment.cgi?id=26587) [details]
patch for fixing overflow in WCMD_run_program
Patches should be sent to wine-patches mailing list. They won't be picked up from here.
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #5 from Frédéric Delanoy [email protected] 2012-11-09 19:01:14 CST --- Still in 1.5.17
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #6 from Frédéric Delanoy [email protected] 2013-06-07 07:49:24 CDT --- Still in wine-1.5.31-225-gba40509
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #7 from Jason Edmeades [email protected] 2013-06-11 17:06:15 CDT --- Note this seems to have been submitted but not sure on the feedback (http://marc.info/?a=126772329700001&r=1&w=2)
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #8 from Dan Kegel [email protected] 2013-06-12 00:12:41 CDT --- If Eric Ho isn't around anymore, someone else probably needs to write their own fix for this from scratch and submit it. Alexandre frowns on reposting other people's patches.
https://bugs.winehq.org/show_bug.cgi?id=21344
[email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected]
--- Comment #9 from [email protected] --- Still an issue 1.7.50
https://bugs.winehq.org/show_bug.cgi?id=21344
[email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected]
--- Comment #10 from [email protected] --- I saw similar patch being made at some bug.
the originl buffer was like this MAX_PATH;
Then the fix was like this MAX_PATH+ANOTHER_BUFFER;
And it prevented buffer running out too soon.
I think similar would work here.
https://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #11 from Gijs Vermeulen [email protected] --- Still present with wine-8.9. I did have to remove the quotes from the example in the OP.
https://bugs.winehq.org/show_bug.cgi?id=21344
Vijay Kamuju [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #12 from Vijay Kamuju [email protected] --- This is now fixed in wine 9.12, no crash
https://bugs.winehq.org/show_bug.cgi?id=21344
Alexandre Julliard [email protected] changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #13 from Alexandre Julliard [email protected] --- Closing bugs fixed in 9.13.