[PATCH 1/4] regedit: Validate REG_SZ import data before processing it any further (v2)
Hugh McMaster
hugh.mcmaster at outlook.com
Fri Apr 21 03:39:15 CDT 2017
On Friday, 21 April 2017 3:11 AM, Alexandre Julliard wrote:
>Hugh McMaster writes:
>> + } else if (str[str_idx] == '"') {
>> + WCHAR *p = str + str_idx + 1;
>> + while (*p == ' ' || *p == '\t') p++;
>> + if (*p && *p != ';') return 0;
>> + str[val_idx++] = str[str_idx];
>> + break;
>
>That would work, but it seems to me that the comment check would be
>better in the caller, so that you can use the same code for validating
>value names.
Sure. That would mean returning a pointer to any unparsed data in the original string.
It has to be the original string because converting escape sequences to their character
equivalents causes an offset, so relying on the new string length is unreliable.
Note, though, that the double quotes surrounding the value name are removed
before we call REGPROC_unescape_string(val_name) in processSetValue().
That said, if you want think it would be better to replace a lot of
the code in processSetValue() (see line 554 onwards in programs/regedit/regproc.c)
with REGPROC_unescape_string(), let me know.
Hugh
More information about the wine-devel
mailing list