regedit: Need 3 bytes of room at end of buffer for \r\n\0 to avoid endless loop.
Jiaxing Wang
hello.wjx at gmail.com
Thu May 21 06:14:53 CDT 2015
---
programs/regedit/regproc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-------------- next part --------------
From 3ce63d9bdc2bb6a257358679e54955ff6c25e6e3 Mon Sep 17 00:00:00 2001
From: Jiaxing Wang <hello.wjx at gmail.com>
Date: Thu, 21 May 2015 16:24:09 +0800
Subject: regedit: Need 3 bytes of room at end of buffer for \r\n\0 to avoid
endless loop.
This issue occurs when we read in a long line that would place
'\r' to the second to last position in buffer, as:
[...,'\r', ].
Suppose we have read in the characters before '\r' and have '\r'
in the stream and there are two last free spaces in the buffer,
the buffer now looks like [..., , ].
We then read in '\r' through fgetc() and the following if(s[i] == '\r')
satisfies and in this situation if(i+2 >= size_to_get) satisfies too,
then '\r' is put
back through ungetc() and then the position is written to '\0' after
the break of the for loop, leaving the buffer as [...,'\0', ].
The next strpbrk() will fail and pointer s will point to this '\0', after
continue, we will get size_remaining == 2 and if we don't HeapReAlloc
the buffer we will run into this situation again, causing an endless loop.
---
programs/regedit/regproc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/programs/regedit/regproc.c b/programs/regedit/regproc.c
index 643b559..2d766de 100644
--- a/programs/regedit/regproc.c
+++ b/programs/regedit/regproc.c
@@ -641,7 +641,7 @@ static void processRegLinesA(FILE *in, char* first_chars)
/* Do we need to expand the buffer ? */
assert (s >= line && s <= line + lineSize);
size_remaining = lineSize - (s-line);
- if (size_remaining < 2) /* room for 1 character and the \0 */
+ if (size_remaining < 3) /* need at least 3 bytes of room for \r\n\0 */
{
char *new_buffer;
size_t new_size = lineSize + REG_VAL_BUF_SIZE;
--
1.9.1
More information about the wine-patches
mailing list