[PATCH 03/17] shell32/autocomplete: Handle heap_alloc failure and avoid a potential buffer overflow
Huw Davies
huw at codeweavers.com
Thu Sep 6 09:51:44 CDT 2018
On Thu, Sep 06, 2018 at 04:34:11PM +0300, Gabriel Ivăncescu wrote:
> On Thu, Sep 6, 2018 at 1:24 PM, Huw Davies <huw at codeweavers.com> wrote:
> >
> > Do we have an app that actually passes crazy format strings? What we
> > mainly care about is protecting against crazy user input strings, not app
> > provided strings, so handle the alloc failure by all means, but I'm not
> > sure the rest is really useful.
> >
> Yes it can happen because it can read it from the registry. The app
> can only specify a registry path, and reads whatever the format is
> from there. But obviously the value in the registry can be written to
> by any application. Which, IMO, is trivially exploitable. So the
> application itself doesn't have to be malicious or crazy for this to
> happen; any other application messing up that registry value can do
> it.
>
> Also note that it's mostly about passing it 3 times (hwndText), the
> rest is already required even for valid strings like %12s which can be
> larger than the string itself (or other such format complications, I
> don't really want to make a printf parser...). I don't think it's a
> big deal to just pass it 3 times to be safe...
What does Windows do if it's passed %12s for example?
Huw.
More information about the wine-devel
mailing list