[Bug 21344] New: Buffer overflow in WCMD_run_program
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Jan 12 12:04:13 CST 2010
http://bugs.winehq.org/show_bug.cgi?id=21344
Summary: Buffer overflow in WCMD_run_program
Product: Wine
Version: 1.1.36
Platform: x86
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: cmd
AssignedTo: wine-bugs at winehq.org
ReportedBy: dima at gmail.com
The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir
without checking the size:
/* Work on the first directory on the search path */
pos = strchrW(pathposn, ';');
if (pos) {
memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR));
thisDir[(pos-pathposn)] = 0x00;
pathposn = pos+1;
} else {
strcpyW(thisDir, pathposn);
pathposn = NULL;
}
The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH.
To reproduce:
$ wine cmd /c
'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo'
err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip
7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list