kernel32: Avoid two potential buffer overflows of cStr in create_hardware_branch.

Sat Oct 8 15:31:15 CDT 2016

In create_hardware_branch() we have a buffer of char[40], but then
use sprintf to fill this that can exceed those 40 characters by using
a format specifier of "/proc/ide/%s/media" and struct dirent.d_name 
for the parameter.

GCC 7 will diagnose this.

Signed-off-by: Gerald Pfeifer <gerald at pfeifer.com>
---
 dlls/kernel32/oldconfig.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dlls/kernel32/oldconfig.c b/dlls/kernel32/oldconfig.c
index 6c80dc6..b7f77bf 100644
--- a/dlls/kernel32/oldconfig.c
+++ b/dlls/kernel32/oldconfig.c
@@ -275,7 +275,9 @@ static void create_hardware_branch(void)
     DIR *idedir;
     struct dirent *dent = NULL;
     FILE *procfile = NULL;
-    char cStr[40], cDevModel[40], cUnixDeviceName[40], read1[10] = "\0", read2[10] = "\0";
+    char cStr[sizeof(dent->d_name)+sizeof(procname_ide_media)],
+         cDevModel[40], cUnixDeviceName[40],
+         read1[10] = "\0", read2[10] = "\0";
     SCSI_ADDRESS scsi_addr;
     UINT nType;
     struct LinuxProcScsiDevice dev;
-- 
2.9.2

