[Bug 10095] New: buffer overflow in RtlGetFullPathName_U
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Oct 19 04:07:23 CDT 2007
http://bugs.winehq.org/show_bug.cgi?id=10095
Summary: buffer overflow in RtlGetFullPathName_U
Product: Wine
Version: 0.9.47.
Platform: PC
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P1
Component: wine-loader
AssignedTo: wine-bugs at winehq.org
ReportedBy: mbuilov at gmail.com
Please review wine/dlls/ntdll/path.c, RtlGetFullPathName_U():
/******************************************************************
* RtlGetFullPathName_U (NTDLL.@)
*
* Returns the number of bytes written to buffer (not including the
* terminating NULL) if the function succeeds, or the required number of bytes
* (including the terminating NULL) if the buffer is too small.
*
* file_part will point to the filename part inside buffer (except if we use
* DOS device name, in which case file_in_buf is NULL)
*
*/
DWORD WINAPI RtlGetFullPathName_U(const WCHAR* name, ULONG size, WCHAR* buffer,
WCHAR** file_part)
{
....skipped......
reqsize = get_full_path_helper(name, buffer, size);
if (!reqsize) return 0;
if (reqsize > size)
{
LPWSTR tmp = RtlAllocateHeap(GetProcessHeap(), 0, reqsize);
reqsize = get_full_path_helper(name, tmp, reqsize);
if (reqsize > size) /* it may have worked the second time */
{
RtlFreeHeap(GetProcessHeap(), 0, tmp);
return reqsize + sizeof(WCHAR);
}
memcpy( buffer, tmp, reqsize + sizeof(WCHAR) );
RtlFreeHeap(GetProcessHeap(), 0, tmp);
}
last memcpy() will try to copy (reqsize + sizeof(WCHAR)) bytes into the buffer
of (size) bytes, but here (reqsize) may be equal to (size).
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list