[PATCH] shell32: fixed potential 1 byte buffer overwrite in execute_from_key (Coverity)
Marcus Meissner
marcus at jet.franken.de
Fri Jan 30 15:01:18 CST 2009
Hi,
CID 311, cmd[sizeof(cmd)/2]=0 might overflow the buffer (depending
on what the RegQUeryValueW returns).
Ciao, Marcus
---
dlls/shell32/shlexec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c
index 8a65636..1fbaabb 100644
--- a/dlls/shell32/shlexec.c
+++ b/dlls/shell32/shlexec.c
@@ -935,6 +935,8 @@ static UINT_PTR execute_from_key(LPCWSTR key, LPCWSTR lpFile, WCHAR *env, LPCWST
/* Is there a replace() function anywhere? */
cmdlen /= sizeof(WCHAR);
+ if (cmdlen >= sizeof(cmd)/sizeof(WCHAR))
+ cmdlen = sizeof(cmd)/sizeof(WCHAR)-1;
cmd[cmdlen] = '\0';
SHELL_ArgifyW(param, sizeof(param)/sizeof(WCHAR), cmd, lpFile, psei->lpIDList, szCommandline, &resultLen);
if (resultLen > sizeof(param)/sizeof(WCHAR))
--
1.5.6
More information about the wine-patches
mailing list