kernel32: Avoid two potential buffer overflows of cStr in create_hardware_branch.
Gerald Pfeifer
gerald at pfeifer.com
Sat Oct 8 15:31:15 CDT 2016
In create_hardware_branch() we have a buffer of char[40], but then
use sprintf to fill this that can exceed those 40 characters by using
a format specifier of "/proc/ide/%s/media" and struct dirent.d_name
for the parameter.
GCC 7 will diagnose this.
Signed-off-by: Gerald Pfeifer <gerald at pfeifer.com>
---
dlls/kernel32/oldconfig.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/dlls/kernel32/oldconfig.c b/dlls/kernel32/oldconfig.c
index 6c80dc6..b7f77bf 100644
--- a/dlls/kernel32/oldconfig.c
+++ b/dlls/kernel32/oldconfig.c
@@ -275,7 +275,9 @@ static void create_hardware_branch(void)
DIR *idedir;
struct dirent *dent = NULL;
FILE *procfile = NULL;
- char cStr[40], cDevModel[40], cUnixDeviceName[40], read1[10] = "\0", read2[10] = "\0";
+ char cStr[sizeof(dent->d_name)+sizeof(procname_ide_media)],
+ cDevModel[40], cUnixDeviceName[40],
+ read1[10] = "\0", read2[10] = "\0";
SCSI_ADDRESS scsi_addr;
UINT nType;
struct LinuxProcScsiDevice dev;
--
2.9.2
More information about the wine-patches
mailing list