advapi32: fix a too small buffer in CredUnmarshalCredentialW [try2]
Stefan Leichter
Stefan.Leichter at camline.com
Thu Nov 15 02:41:22 CST 2012
Wednesday 14 November 2012 Stefan Leichter <Stefan.Leichter at camline.com>
> Wednesday 14 November 2012 Hans Leidekker <hans at codeweavers.com>
>
> > On Wed, 2012-11-14 at 16:28 +0100, Stefan Leichter wrote:
> > > @@ -2053,6 +2053,8 @@ static BOOL cred_decode( const WCHAR *cred,
> > > unsigned int len, char *buf )
> > >
> > > char c0, c1, c2, c3;
> > > const WCHAR *p = cred;
> > >
> > > + TRACE("%s\n", debugstr_wn(cred,len));
> >
> > This string is already traced in CredUnmarshalCredentialW.
> >
> > > @@ -2134,6 +2136,7 @@ BOOL WINAPI CredUnmarshalCredentialW( LPCWSTR
> > > cred, PCRED_MARSHAL_TYPE type, PVO
> > >
> > > case UsernameTargetCredential:
> > > {
> > >
> > > USERNAME_TARGET_CREDENTIAL_INFO *target;
> > >
> > > + ULONGLONG size = 0;
> > >
> > > if (len < 9 || !cred_decode( cred + 3, 6, (char *)&size ) ||
> > > !size || size % sizeof(WCHAR)) {
> >
> > You should also perform a sanity check on 'size' to avoid overflow in
> > calculations that follow.
>
> I think it is the best when you start fixing your code yourself
Hello Hans,
i have to say sorry, this answer is rude.
But i don't like to do unnecessary iteration on source code especially when
the "complain" has been in the previous version too. Source code usually does
not get better from iteration to iteration in this case.
Let me rephrase the last mail:
I will not send a new patch about this topic in the near future because lack
of time. So its now up to you or anyone else to fix the problem.
Regards Stefan
More information about the wine-devel
mailing list