[resend] fusion: Avoid buffer overflow in enum_gac_assemblies.
Alexandre Julliard
julliard at winehq.org
Tue Nov 29 14:35:27 CST 2016
Gerald Pfeifer <gerald at pfeifer.com> writes:
> [ Marvin indicated testing went fine, and I did not see any feedback
> for two weeks. Only the description below has changed a little. ]
>
> In enum_gac_assemblies we have the following
>
> sprintf(buf, ", Version=%s, Culture=%s, PublicKeyToken=%s",
> ffd.cFileName, culture, ptr);
>
> culture is declared as char[MAX_PATH], and WIN32_FIND_DATAA.cFileName
> is CHAR[260], so a mere size of MAX_PATH for the output buffer buf is
> not sufficient.
>
> (We need to double sizeof(ffd.cFileName) since ptr also points
> into it.)
They all point into the same path, so the total size is not going to
exceed MAX_PATH (modulo the additionally printed chars). And it doesn't
make sense to fix this buffer but not the other ones, you are just
moving the bug.
--
Alexandre Julliard
julliard at winehq.org
More information about the wine-devel
mailing list