[resend] fusion: Avoid buffer overflow in enum_gac_assemblies.

Gerald Pfeifer gerald at pfeifer.com
Sun Nov 27 01:29:19 CST 2016


[ Marvin indicated testing went fine, and I did not see any feedback
  for two weeks. Only the description below has changed a little. ]

In enum_gac_assemblies we have the following

    sprintf(buf, ", Version=%s, Culture=%s, PublicKeyToken=%s",
            ffd.cFileName, culture, ptr);

culture is declared as char[MAX_PATH], and WIN32_FIND_DATAA.cFileName 
is CHAR[260], so a mere size of MAX_PATH for the output buffer buf is
not sufficient.

(We need to double sizeof(ffd.cFileName) since ptr also points
into it.)

Gerald


Signed-off-by: Gerald Pfeifer <gerald at pfeifer.com>
---
 dlls/fusion/tests/asmenum.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/fusion/tests/asmenum.c b/dlls/fusion/tests/asmenum.c
index 1dc34a2..9ba77f7 100644
--- a/dlls/fusion/tests/asmenum.c
+++ b/dlls/fusion/tests/asmenum.c
@@ -223,7 +223,7 @@ typedef struct _tagASMNAME
 static BOOL enum_gac_assemblies(struct list *assemblies, int depth, LPSTR path)
 {
     WIN32_FIND_DATAA ffd;
-    CHAR buf[MAX_PATH];
+    CHAR buf[MAX_PATH+sizeof(ffd.cFileName)*2+40];
     CHAR disp[MAX_PATH];
     ASMNAME *name;
     HANDLE hfind;
-- 
2.10.1



More information about the wine-patches mailing list