[PATCH 04/17] shell32/autocomplete: Guard against multiple format args and malicious format strings for quickComplete
Gabriel Ivăncescu
gabrielopcode at gmail.com
Wed Sep 5 11:13:06 CDT 2018
This is especially important since it can be read from the registry, so it's
trivial to abuse this from other applications if one application makes use
of it.
Signed-off-by: Gabriel Ivăncescu <gabrielopcode at gmail.com>
---
dlls/shell32/autocomplete.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/dlls/shell32/autocomplete.c b/dlls/shell32/autocomplete.c
index ec91474..3d3ec57 100644
--- a/dlls/shell32/autocomplete.c
+++ b/dlls/shell32/autocomplete.c
@@ -557,6 +557,27 @@ static HRESULT WINAPI IAutoComplete2_fnInit(
memcpy(This->quickComplete, pwszQuickComplete, len * sizeof(WCHAR));
}
+ /* Guard against more than one format arguments since that leads to either a crash
+ or leaking stack data out, especially since it can be read from the registry */
+ if (This->quickComplete) {
+ WCHAR *qc = This->quickComplete;
+ BOOL found = FALSE;
+ while ((qc = strchrW(qc, '%')) != NULL)
+ {
+ if (qc[1] == '%') /* %% is not an arg */
+ qc++;
+ else {
+ if (found) {
+ heap_free(This->quickComplete);
+ This->quickComplete = NULL;
+ break;
+ }
+ found = TRUE;
+ }
+ qc++;
+ }
+ }
+
return S_OK;
}
--
1.9.1
More information about the wine-devel
mailing list