[Bug 46661] ISF_Desktop_fnGetDisplayNameOf function missing check for string variable This- >sPathTarget before copy it

Wed Feb 20 02:38:41 CST 2019

https://bugs.winehq.org/show_bug.cgi?id=46661

--- Comment #14 from ossecurity <ossecurity at iscas.ac.cn> ---
Modern operating systems and libraries always perform validity checks of API
parameters for safe computation. However, the data querying from the
environment are paid little attention. As the API can be hooked, adverse can
intercept the return value and parameter.(In reply to ossecurity from comment
#13)
> (In reply to Zebediah Figura from comment #12)
> > (In reply to ossecurity from comment #11)
> > > Yes, that can cause application crash and this crash is a behaviour of Win32
> > > application. However, the missing check in ISF_Desktop_fnGetDisplayNameOf is
> > > the behaviour of wine.
> > > 
> > > It will be clearer to judge this bug if we focus on the behaviour mismatch.
> > > As hooking is supported function in windows, a prepared Win32
> > > Application(DoInjection.exe) doesn't crash in Windows(I verify it on Win 7),
> > > but it crashes in wine. It seems Win7 has added sufficient
> > > checks(sanitizations or authority checks), however, wine doesn't.
> > 
> > You're also assuming that Windows has the same struct layout as Wine, which
> > it almost certainly doesn't. Only behaviour differences that affect real
> > applications are worth fixing.
> > 
> > There is no real reason to check for NULL here. It doesn't matter whose
> > "behaviour" the code is. The contract internal to the Wine code is that the
> > variable is valid from the moment the struct is allocated, not that it is
> > valid if and only if it is non-NULL.
> 
> Oh yes, I mix struct layout difference into behaviour difference.
> DoInjection.exe is really not as important as Word etc. The check
> consideration really has a conflict with the internal contract of wine you
> just say. When considering about fix and maintenance, you are right. 
> 
> Maybe this kind of check for is important in other scene or software besides
> wine. I'll keep on researching.
>

I have different thought now.

What do you mean by real applications? The DoInjection.exe inject code in
explorer.exe(this is real applications).

And I think the internal contract is wrong if it's just as you
say. The variable can be changed(by a hooker) between construction and use.

Ke Yang

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.