[Try 2] WCMD_run_program overflow fix

Eric Ho ericho921 at gmail.com
Mon Mar 8 21:12:29 CST 2010


Sorry Ive accidentally attached the patch for the expected test outputs in
the first patch, please replace the previous 1/4 and 4/4 patch with these
new ones, thanks
-Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20100308/57301621/attachment.htm>
-------------- next part --------------
diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c
old mode 100644
new mode 100755
index f97a1fd..d7bd556
--- a/programs/cmd/wcmdmain.c
+++ b/programs/cmd/wcmdmain.c
@@ -1006,6 +1006,7 @@ void WCMD_run_program (WCHAR *command, int called) {
     GetFullPathNameW(param1, sizeof(pathtosearch)/sizeof(WCHAR), pathtosearch, NULL);
     lastSlash = strrchrW(pathtosearch, '\\');
     if (lastSlash && strchrW(lastSlash, '.') != NULL) extensionsupplied = TRUE;
+    if (strlenW(lastSlash+1)>=MAX_PATH) goto run_program_line_too_long;
     strcpyW(stemofsearch, lastSlash+1);
 
     /* Reduce pathtosearch to a path with trailing '\' to support c:\a.bat and
@@ -1037,11 +1038,13 @@ void WCMD_run_program (WCHAR *command, int called) {
     /* Work on the first directory on the search path */
     pos = strchrW(pathposn, ';');
     if (pos) {
+      if (pos-pathposn >= MAX_PATH) goto run_program_line_too_long;
       memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR));
       thisDir[(pos-pathposn)] = 0x00;
       pathposn = pos+1;
 
     } else {
+      if (strlenW(pathposn)>=MAX_PATH) goto run_program_line_too_long;
       strcpyW(thisDir, pathposn);
       pathposn = NULL;
     }
@@ -1051,7 +1054,6 @@ void WCMD_run_program (WCHAR *command, int called) {
     strcpyW(temp, thisDir);
     GetFullPathNameW(temp, MAX_PATH, thisDir, NULL);
 
-    /* 1. If extension supplied, see if that file exists */
     strcatW(thisDir, slashW);
     strcatW(thisDir, stemofsearch);
     pos = &thisDir[strlenW(thisDir)]; /* Pos = end of name */
@@ -1069,6 +1071,8 @@ void WCMD_run_program (WCHAR *command, int called) {
       WIN32_FIND_DATAW finddata;
       static const WCHAR allFiles[] = {'.','*','\0'};
 
+      if (strlenW(thisDir)+strlenW(allFiles) >= MAX_PATH) 
+        goto run_program_line_too_long;
       strcatW(thisDir,allFiles);
       h = FindFirstFileW(thisDir, &finddata);
       FindClose(h);
@@ -1081,10 +1085,14 @@ void WCMD_run_program (WCHAR *command, int called) {
           WCHAR *nextExt = strchrW(thisExt, ';');
 
           if (nextExt) {
+            if((pos-thisDir)+(nextExt-thisExt)>=MAX_PATH) 
+              goto run_program_line_too_long;
             memcpy(pos, thisExt, (nextExt-thisExt) * sizeof(WCHAR));
             pos[(nextExt-thisExt)] = 0x00;
             thisExt = nextExt+1;
           } else {
+	    if((pos-thisDir)+strlenW(thisExt)>=MAX_PATH) 
+              goto run_program_line_too_long;
             strcpyW(pos, thisExt);
             thisExt = NULL;
           }
@@ -1183,6 +1191,10 @@ void WCMD_run_program (WCHAR *command, int called) {
   errorlevel = 9009;
   return;
 
+ run_program_line_too_long:
+  WCMD_output_asis(WCMD_LoadMessage(WCMD_LINETOOLONG));
+  errorlevel = 9009;
+  return;
 }
 
 /*****************************************************************************
-------------- next part --------------
diff --git a/programs/cmd/tests/test_builtins.cmd.exp b/programs/cmd/tests/test_builtins.cmd.exp
index 2c0e980..f22b9c1 100644
--- a/programs/cmd/tests/test_builtins.cmd.exp
+++ b/programs/cmd/tests/test_builtins.cmd.exp
@@ -24,3 +24,9 @@ Testing case sensitivity with and without /i option
 if seems to default to case sensitivity
 if /i seems to work
 if /I seems to work
+------------ Testing overflow --------------
+Overflow by long filename with no explicit path was caught.
+Overflow by long filename with explicit path was caught.
+Overflow by long path was caught.
+Overflow by stemofsearch concatenation was caught.
+Overflow by allFiles concatenation was caught.
diff --git a/programs/cmd/tests/test_builtins.cmd b/programs/cmd/tests/test_builtins.cmd
index ed2b75b..5a551fc 100644
--- a/programs/cmd/tests/test_builtins.cmd
+++ b/programs/cmd/tests/test_builtins.cmd
@@ -43,3 +43,24 @@ if /i foo==FOO echo if /i seems to work
 if /i not foo==FOO echo if /i seems to be broken
 if /I foo==FOO echo if /I seems to work
 if /I not foo==FOO echo if /I seems to be broken
+
+echo ------------ Testing overflow --------------
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>NUL
+IF ERRORLEVEL 9023 echo Overflow by long filename with no explicit path was caught.
+IF NOT ERRORLEVEL 9023 echo Overflow by long filename with no explicit path was not caught
+
+./xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>NUL
+IF ERRORLEVEL 9009 echo Overflow by long filename with explicit path was caught.
+IF NOT ERRORLEVEL 9009 echo Overflow by long filename with explicit path was not caught
+
+./xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/;./>NUL
+IF ERRORLEVEL 9009 echo Overflow by long path was caught.
+IF NOT ERRORLEVEL 9009 echo Overflow by long path was not caught
+
+./xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/;./>NUL
+IF ERRORLEVEL 9009 echo Overflow by stemofsearch concatenation was caught.
+IF NOT ERRORLEVEL 9009 echo Overflow stemofsearch concatenation was not caught
+
+./xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxx>NUL
+IF ERRORLEVEL 9009 echo Overflow by allFiles concatenation was caught.
+IF NOT ERRORLEVEL 9009 echo Overflow allFiles concatenation was not caught

 /*****************************************************************************


More information about the wine-patches mailing list