https://bugs.winehq.org/show_bug.cgi?id=46661 Bug ID: 46661 Summary: ISF_Desktop_fnGetDisplayNameOf function missing check for string variable This->sPathTarget before copy it Product: Wine Version: 4.0-rc7 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: shell32 Assignee: wine-bugs(a)winehq.org Reporter: ossecurity(a)iscas.ac.cn Distribution: --- ISF_Desktop_fnGetDisplayNameOf function miss the check for string variable This->sPathTarget before copy it. Malware(virus etc.) can leverage process injection techniques to hook this WINAPI function(ISF_Desktop_fnGetDisplayNameOf) and tampered the string variable This->sPathTarget which may cause "NULL pointer dereference" and "buffer overflow" in shell32.dll. 583:static HRESULT WINAPI ISF_Desktop_fnGetDisplayNameOf (IShellFolder2 * iface, 584: LPCITEMIDLIST pidl, DWORD dwFlags, LPSTRRET strRet) 585:{ 586: IDesktopFolderImpl *This = impl_from_IShellFolder2(iface); ... 596: pszPath = CoTaskMemAlloc((MAX_PATH +1) * sizeof(WCHAR)); ... 600: if (_ILIsDesktop (pidl)) 601: { 602: if ((GET_SHGDN_RELATION (dwFlags) == SHGDN_NORMAL) && 603: (GET_SHGDN_FOR (dwFlags) & SHGDN_FORPARSING)) 604: strcpyW(pszPath, This->sPathTarget);//** missing check before copy ** We find a lot of similar code but not sure about its seriousness yet. Any comments are helpful. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.