[PATCH] handle sizes in PathCanonicalizeA

Marcus Meissner marcus at jet.franken.de
Sun Dec 3 11:18:38 CST 2006


Hi,

This resubmitted patch handles buffer overflows in PathCanonicalizeA
and PathCanonicalizeW.

The first returns FALSE on overflow when detected in the A function and
FALSE on overflowing MAX_PATH in the W function.

Ciao, Marcus

---

 dlls/shlwapi/path.c       |    8 +++++++-
 dlls/shlwapi/tests/path.c |    7 ++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

6762e4e822461ed0c014081669687b6909d3679e
diff --git a/dlls/shlwapi/path.c b/dlls/shlwapi/path.c
index f958f56..8aeca20 100644
--- a/dlls/shlwapi/path.c
+++ b/dlls/shlwapi/path.c
@@ -2341,7 +2341,11 @@ BOOL WINAPI PathCanonicalizeA(LPSTR lpsz
   {
     WCHAR szPath[MAX_PATH];
     WCHAR szBuff[MAX_PATH];
-    MultiByteToWideChar(CP_ACP,0,lpszPath,-1,szPath,MAX_PATH);
+    INT ret = MultiByteToWideChar(CP_ACP,0,lpszPath,-1,szPath,MAX_PATH);
+    if (ret > MAX_PATH) {
+      WARN("Path too long.\n");
+      return FALSE;
+    }
     bRet = PathCanonicalizeW(szBuff, szPath);
     WideCharToMultiByte(CP_ACP,0,szBuff,-1,lpszBuf,MAX_PATH,0,0);
   }
@@ -2394,6 +2398,8 @@ BOOL WINAPI PathCanonicalizeW(LPWSTR lps
   /* Canonicalize the rest of the path */
   while (*lpszSrc)
   {
+    if (lpszDst - lpszBuf >= MAX_PATH)
+      return FALSE;
     if (*lpszSrc == '.')
     {
       if (lpszSrc[1] == '\\' && (lpszSrc == lpszPath || lpszSrc[-1] == '\\' || lpszSrc[-1] == ':'))
diff --git a/dlls/shlwapi/tests/path.c b/dlls/shlwapi/tests/path.c
index 9746fbc..b636d4c 100644
--- a/dlls/shlwapi/tests/path.c
+++ b/dlls/shlwapi/tests/path.c
@@ -1464,11 +1464,8 @@ static void test_PathCanonicalizeA(void)
     lstrcpy(dest, "test");
     SetLastError(0xdeadbeef);
     res = PathCanonicalizeA(dest, too_long);
-    todo_wine
-    {
-        ok(!res, "Expected failure\n");
-        ok(GetLastError() == 0xdeadbeef, "Expected 0xdeadbeef, got %d\n", GetLastError());
-    }
+    ok(!res, "Expected failure\n");
+    ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
     ok(lstrlen(too_long) == LONG_LEN - 1, "Expected length LONG_LEN - 1, got %i\n", lstrlen(too_long));
 }
 
-- 
1.2.4



More information about the wine-patches mailing list