[Bug 46661] New: ISF_Desktop_fnGetDisplayNameOf function missing check for string variable This- >sPathTarget before copy it
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Feb 17 01:18:09 CST 2019
https://bugs.winehq.org/show_bug.cgi?id=46661
Bug ID: 46661
Summary: ISF_Desktop_fnGetDisplayNameOf function missing check
for string variable This->sPathTarget before copy it
Product: Wine
Version: 4.0-rc7
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: shell32
Assignee: wine-bugs at winehq.org
Reporter: ossecurity at iscas.ac.cn
Distribution: ---
ISF_Desktop_fnGetDisplayNameOf function miss the check for string variable
This->sPathTarget before copy it.
Malware(virus etc.) can leverage process injection techniques to hook this
WINAPI function(ISF_Desktop_fnGetDisplayNameOf) and tampered the string
variable This->sPathTarget which may cause "NULL pointer dereference" and
"buffer overflow" in shell32.dll.
583:static HRESULT WINAPI ISF_Desktop_fnGetDisplayNameOf (IShellFolder2 *
iface,
584: LPCITEMIDLIST pidl, DWORD dwFlags, LPSTRRET strRet)
585:{
586: IDesktopFolderImpl *This = impl_from_IShellFolder2(iface);
...
596: pszPath = CoTaskMemAlloc((MAX_PATH +1) * sizeof(WCHAR));
...
600: if (_ILIsDesktop (pidl))
601: {
602: if ((GET_SHGDN_RELATION (dwFlags) == SHGDN_NORMAL) &&
603: (GET_SHGDN_FOR (dwFlags) & SHGDN_FORPARSING))
604: strcpyW(pszPath, This->sPathTarget);//** missing check before
copy **
We find a lot of similar code but not sure about its seriousness yet.
Any comments are helpful.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list