[PATCH v2 09/11] shell32/autocomplete: Avoid another buffer overflow and handle arbitrary sizes for the auto-append string
Gabriel Ivăncescu
gabrielopcode at gmail.com
Thu Sep 6 13:26:19 CDT 2018
The previous code caps the auto-append text at 255 characters, which can
be easily exploited.
Signed-off-by: Gabriel Ivăncescu <gabrielopcode at gmail.com>
---
dlls/shell32/autocomplete.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/dlls/shell32/autocomplete.c b/dlls/shell32/autocomplete.c
index fa965c0..af8c067 100644
--- a/dlls/shell32/autocomplete.c
+++ b/dlls/shell32/autocomplete.c
@@ -271,12 +271,23 @@ static LRESULT APIENTRY ACEditSubclassProc(HWND hwnd, UINT uMsg, WPARAM wParam,
if (!strncmpiW(hwndText, strs, len)) {
if (cpt == 0 && noautoappend == FALSE) {
- WCHAR buffW[255];
+ /* The character capitalization can be different,
+ so merge hwndText and strs into a new string */
+ WCHAR *tmp;
+ size_t strslen = len + strlenW(&strs[len]);
+
+ if ((tmp = heap_alloc((strslen+1) * sizeof(WCHAR))))
+ {
+ memcpy(tmp, hwndText, len * sizeof(WCHAR));
+ memcpy(&tmp[len], &strs[len], (strslen-len+1) * sizeof(WCHAR));
+ }
+ else tmp = strs;
+
+ SendMessageW(hwnd, WM_SETTEXT, 0, (LPARAM)tmp);
+ SendMessageW(hwnd, EM_SETSEL, len, strslen);
+ if (tmp != strs)
+ heap_free(tmp);
- strcpyW(buffW, hwndText);
- strcatW(buffW, &strs[len]);
- SetWindowTextW(hwnd, buffW);
- SendMessageW(hwnd, EM_SETSEL, len, strlenW(strs));
if (!(This->options & ACO_AUTOSUGGEST)) {
CoTaskMemFree(strs);
break;
--
1.9.1
More information about the wine-devel
mailing list