[PATCH] user32: Avoid buffer overflow on long texts in winproc.

Roman Pišl rpisl at seznam.cz
Wed Mar 25 07:33:33 CDT 2020 

Hello,
this one fell off the list. Is it completely wrong or just nobody is 
interested? Or writing a test would help (which is easy in this case)? 
Also simple controls demo applications are affected - pasting large text 
into the control is enough for crash.

Roman

Dne 06. 02. 20 v 18:33 Roman Pišl napsal(a):
> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=48559
> 
> Signed-off-by: Roman Pišl <rpisl at seznam.cz>
> ---
>   dlls/user32/winproc.c | 22 ++++++++++++++++------
>   1 file changed, 16 insertions(+), 6 deletions(-)
> 
> diff --git a/dlls/user32/winproc.c b/dlls/user32/winproc.c
> index 6de650cd1e..14555f5a71 100644
> --- a/dlls/user32/winproc.c
> +++ b/dlls/user32/winproc.c
> @@ -517,16 +517,21 @@ LRESULT WINPROC_CallProcAtoW( winproc_callback_t callback, HWND hwnd, UINT msg,
>       case CB_GETLBTEXT:
>           if (lParam && WINPROC_TestLBForStr( hwnd, msg ))
>           {
> -            WCHAR buffer[512];  /* FIXME: fixed sized buffer */
> +            WCHAR *ptr, buffer[512];
> +            UINT msgGetTextLen = (msg == CB_GETLBTEXT) ? CB_GETLBTEXTLEN : LB_GETTEXTLEN;
> +            LRESULT len = 0;
>   
> -            ret = callback( hwnd, msg, wParam, (LPARAM)buffer, result, arg );
> +            callback( hwnd, msgGetTextLen, wParam, 0, &len, arg );
> +            if (!(ptr = get_buffer( buffer, sizeof(buffer), (len + 1) * sizeof(WCHAR) ))) break;
> +            ret = callback( hwnd, msg, wParam, (LPARAM)ptr, result, arg );
>               if (*result >= 0)
>               {
>                   DWORD len;
>                   RtlUnicodeToMultiByteN( (LPSTR)lParam, ~0u, &len,
> -                                        buffer, (strlenW(buffer) + 1) * sizeof(WCHAR) );
> +                                        ptr, (strlenW(ptr) + 1) * sizeof(WCHAR) );
>                   *result = len - 1;
>               }
> +            free_buffer( buffer, ptr );
>           }
>           else ret = callback( hwnd, msg, wParam, lParam, result, arg );
>           break;
> @@ -777,15 +782,20 @@ static LRESULT WINPROC_CallProcWtoA( winproc_callback_t callback, HWND hwnd, UIN
>       case CB_GETLBTEXT:
>           if (lParam && WINPROC_TestLBForStr( hwnd, msg ))
>           {
> -            char buffer[512];  /* FIXME: fixed sized buffer */
> +            char *ptr, buffer[512];
> +            UINT msgGetTextLen = (msg == CB_GETLBTEXT) ? CB_GETLBTEXTLEN : LB_GETTEXTLEN;
> +            LRESULT len = 0;
> +            callback( hwnd, msgGetTextLen, wParam, 0, &len, arg );
> +            if (!(ptr = get_buffer( buffer, sizeof(buffer), len + 1 ))) break;
>   
> -            ret = callback( hwnd, msg, wParam, (LPARAM)buffer, result, arg );
> +            ret = callback( hwnd, msg, wParam, (LPARAM)ptr, result, arg );
>               if (*result >= 0)
>               {
>                   DWORD len;
> -                RtlMultiByteToUnicodeN( (LPWSTR)lParam, ~0u, &len, buffer, strlen(buffer) + 1 );
> +                RtlMultiByteToUnicodeN( (LPWSTR)lParam, ~0u, &len, ptr, strlen(ptr) + 1 );
>                   *result = len / sizeof(WCHAR) - 1;
>               }
> +            free_buffer( buffer, ptr );
>           }
>           else ret = callback( hwnd, msg, wParam, lParam, result, arg );
>           break;
>

More information about the wine-devel mailing list