http://bugs.winehq.org/show_bug.cgi?id=21344 Summary: Buffer overflow in WCMD_run_program Product: Wine Version: 1.1.36 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: cmd AssignedTo: wine-bugs(a)winehq.org ReportedBy: dima(a)gmail.com The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir without checking the size: /* Work on the first directory on the search path */ pos = strchrW(pathposn, ';'); if (pos) { memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR)); thisDir[(pos-pathposn)] = 0x00; pathposn = pos+1; } else { strcpyW(thisDir, pathposn); pathposn = NULL; } The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH. To reproduce: $ wine cmd /c 'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo' err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip 7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.