[Bug 49314] Wine segfaults with too many command-line arguments
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Jun 9 08:02:34 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49314
--- Comment #5 from esteve.varela at gmail.com ---
Tracking down that commit, and messing around with the differences in the code
before and after, this change seems to fix it:
diff --git a/dlls/ntdll/env.c b/dlls/ntdll/env.c
index f8b243154b..8d5d86e48c 100644
--- a/dlls/ntdll/env.c
+++ b/dlls/ntdll/env.c
@@ -810,9 +810,9 @@ static void build_command_line( WCHAR **argv,
UNICODE_STRING *cmdline )
LPWSTR p;
len = 1;
- for (arg = argv; *arg; arg++) len += 3 + 2 * wcslen( *arg );
+ for (arg = argv; *arg; arg++) len += 3 + wcslen( *arg );
cmdline->MaximumLength = len * sizeof(WCHAR);
- if (!(cmdline->Buffer = RtlAllocateHeap( GetProcessHeap(), 0,
cmdline->MaximumLength ))) return;
+ if (!(cmdline->Buffer = RtlAllocateHeap( GetProcessHeap(), 0, len *
sizeof(WCHAR) ))) return;
p = cmdline->Buffer;
for (arg = argv; *arg; arg++)
This probably isn't a "proper" fix but it works well enough to not segfault. I
suppose the "MaximumLength" value overflows for some reason, and should be
bounds-checked. I wonder if this is a security issue?
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list