[PATCH] krnl386.exe16: do not truncate the strcmp result (Coverity)
Marcus Meissner
marcus at jet.franken.de
Sat Jul 7 04:52:21 CDT 2012
Hi,
strcmp() might return a full 32bit wide difference in optimized
strcmp cases, so we need to avoid truncating the upper 16 bits.
(mysql security flaw resulting from such a truncation:
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
)
Ciao, Marcus
---
dlls/krnl386.exe16/kernel.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/dlls/krnl386.exe16/kernel.c b/dlls/krnl386.exe16/kernel.c
index a1f7fff..afd08df 100644
--- a/dlls/krnl386.exe16/kernel.c
+++ b/dlls/krnl386.exe16/kernel.c
@@ -254,7 +254,14 @@ SEGPTR WINAPI KERNEL_AnsiLower16( SEGPTR strOrChar )
*/
INT16 WINAPI KERNEL_lstrcmp16( LPCSTR str1, LPCSTR str2 )
{
- return (INT16)strcmp( str1, str2 );
+ int ret = strcmp( str1, str2 );
+
+ /* Looks too complicated, but in optimized strcpy we might get
+ * a 32bit wide difference and would truncate it to 16 bit, so
+ * erronously returning equality. */
+ if (ret < 0) return -1;
+ if (ret > 0) return 1;
+ return 0;
}
/***********************************************************************
--
1.7.3.4
More information about the wine-patches
mailing list