[PATCH] handle sizes in PathCanonicalizeA
Marcus Meissner
marcus at jet.franken.de
Sun Dec 3 11:18:38 CST 2006
Hi,
This resubmitted patch handles buffer overflows in PathCanonicalizeA
and PathCanonicalizeW.
The first returns FALSE on overflow when detected in the A function and
FALSE on overflowing MAX_PATH in the W function.
Ciao, Marcus
---
dlls/shlwapi/path.c | 8 +++++++-
dlls/shlwapi/tests/path.c | 7 ++-----
2 files changed, 9 insertions(+), 6 deletions(-)
6762e4e822461ed0c014081669687b6909d3679e
diff --git a/dlls/shlwapi/path.c b/dlls/shlwapi/path.c
index f958f56..8aeca20 100644
--- a/dlls/shlwapi/path.c
+++ b/dlls/shlwapi/path.c
@@ -2341,7 +2341,11 @@ BOOL WINAPI PathCanonicalizeA(LPSTR lpsz
{
WCHAR szPath[MAX_PATH];
WCHAR szBuff[MAX_PATH];
- MultiByteToWideChar(CP_ACP,0,lpszPath,-1,szPath,MAX_PATH);
+ INT ret = MultiByteToWideChar(CP_ACP,0,lpszPath,-1,szPath,MAX_PATH);
+ if (ret > MAX_PATH) {
+ WARN("Path too long.\n");
+ return FALSE;
+ }
bRet = PathCanonicalizeW(szBuff, szPath);
WideCharToMultiByte(CP_ACP,0,szBuff,-1,lpszBuf,MAX_PATH,0,0);
}
@@ -2394,6 +2398,8 @@ BOOL WINAPI PathCanonicalizeW(LPWSTR lps
/* Canonicalize the rest of the path */
while (*lpszSrc)
{
+ if (lpszDst - lpszBuf >= MAX_PATH)
+ return FALSE;
if (*lpszSrc == '.')
{
if (lpszSrc[1] == '\\' && (lpszSrc == lpszPath || lpszSrc[-1] == '\\' || lpszSrc[-1] == ':'))
diff --git a/dlls/shlwapi/tests/path.c b/dlls/shlwapi/tests/path.c
index 9746fbc..b636d4c 100644
--- a/dlls/shlwapi/tests/path.c
+++ b/dlls/shlwapi/tests/path.c
@@ -1464,11 +1464,8 @@ static void test_PathCanonicalizeA(void)
lstrcpy(dest, "test");
SetLastError(0xdeadbeef);
res = PathCanonicalizeA(dest, too_long);
- todo_wine
- {
- ok(!res, "Expected failure\n");
- ok(GetLastError() == 0xdeadbeef, "Expected 0xdeadbeef, got %d\n", GetLastError());
- }
+ ok(!res, "Expected failure\n");
+ ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
ok(lstrlen(too_long) == LONG_LEN - 1, "Expected length LONG_LEN - 1, got %i\n", lstrlen(too_long));
}
--
1.2.4
More information about the wine-patches
mailing list