[PATCH] wineusb.sys: Fix a potential buffer overflow in add_usb_device().

Francois Gouget fgouget at free.fr
Sun Aug 22 11:19:35 CDT 2021


name needs to be able to hold 15 characters plus an unsigned int,
potentially up to 10 characters even if it is unlikely, plus the
trailing nul character.

Signed-off-by: Francois Gouget <fgouget at free.fr>
---
From:
    static const WCHAR formatW[] = {'\\','D','e','v','i','c','e','\\','U','S','B','P','D','O','-','%','u',0};
...
    sprintfW(name, formatW, name_index++);
---
 dlls/wineusb.sys/wineusb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/wineusb.sys/wineusb.c b/dlls/wineusb.sys/wineusb.c
index fae297915fc..a7156899379 100644
--- a/dlls/wineusb.sys/wineusb.c
+++ b/dlls/wineusb.sys/wineusb.c
@@ -94,7 +94,7 @@ static void add_usb_device(libusb_device *libusb_device)
     DEVICE_OBJECT *device_obj;
     UNICODE_STRING string;
     NTSTATUS status;
-    WCHAR name[20];
+    WCHAR name[26];
     int ret;
 
     libusb_get_device_descriptor(libusb_device, &device_desc);
-- 
2.20.1



More information about the wine-devel mailing list