[Bug 21344] New: Buffer overflow in WCMD_run_program
http://bugs.winehq.org/show_bug.cgi?id=21344 Summary: Buffer overflow in WCMD_run_program Product: Wine Version: 1.1.36 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: cmd AssignedTo: wine-bugs(a)winehq.org ReportedBy: dima(a)gmail.com The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir without checking the size: /* Work on the first directory on the search path */ pos = strchrW(pathposn, ';'); if (pos) { memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR)); thisDir[(pos-pathposn)] = 0x00; pathposn = pos+1; } else { strcpyW(thisDir, pathposn); pathposn = NULL; } The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH. To reproduce: $ wine cmd /c 'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo' err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip 7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #1 from Dima Ryazanov <dima(a)gmail.com> 2010-01-12 12:37:10 --- This also happens in completely legitimate cases - when the command has as a long argument list that contains backslashes. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, testcase -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 Jason Edmeades <us(a)edmeades.me.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |us(a)edmeades.me.uk -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |dank(a)kegel.com Ever Confirmed|0 |1 --- Comment #2 from Dan Kegel <dank(a)kegel.com> 2010-01-24 14:04:18 --- By the way, bug 13469 was also about buffer overflows. We should probably have a conformance/regression test that checks all of those examples, in addition to the one Dima gave. (Dima ran into this running a scons script, see bug 18346.) Getting ambitious, we might want to write test cases to tickle every unchecked strcpyW/strcatW in wine's cmd. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #3 from ericho921(a)gmail.com 2010-03-03 22:49:08 --- Created an attachment (id=26587) --> (http://bugs.winehq.org/attachment.cgi?id=26587) patch for fixing overflow in WCMD_run_program -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 Frédéric Delanoy <frederic.delanoy(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |frederic.delanoy(a)gmail.com --- Comment #4 from Frédéric Delanoy <frederic.delanoy(a)gmail.com> 2011-07-25 17:50:32 CDT --- (In reply to comment #3)
Created an attachment (id=26587) --> (http://bugs.winehq.org/attachment.cgi?id=26587) [details] patch for fixing overflow in WCMD_run_program
Patches should be sent to wine-patches mailing list. They won't be picked up from here. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #5 from Frédéric Delanoy <frederic.delanoy(a)gmail.com> 2012-11-09 19:01:14 CST --- Still in 1.5.17 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #6 from Frédéric Delanoy <frederic.delanoy(a)gmail.com> 2013-06-07 07:49:24 CDT --- Still in wine-1.5.31-225-gba40509 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #7 from Jason Edmeades <us(a)edmeades.me.uk> 2013-06-11 17:06:15 CDT --- Note this seems to have been submitted but not sure on the feedback (http://marc.info/?a=126772329700001&r=1&w=2) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #8 from Dan Kegel <dank(a)kegel.com> 2013-06-12 00:12:41 CDT --- If Eric Ho isn't around anymore, someone else probably needs to write their own fix for this from scratch and submit it. Alexandre frowns on reposting other people's patches. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=21344 super_man(a)post.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man(a)post.com --- Comment #9 from super_man(a)post.com --- Still an issue 1.7.50 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=21344 winetest(a)luukku.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |winetest(a)luukku.com --- Comment #10 from winetest(a)luukku.com --- I saw similar patch being made at some bug. the originl buffer was like this MAX_PATH; Then the fix was like this MAX_PATH+ANOTHER_BUFFER; And it prevented buffer running out too soon. I think similar would work here. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=21344 --- Comment #11 from Gijs Vermeulen <gijsvrm(a)gmail.com> --- Still present with wine-8.9. I did have to remove the quotes from the example in the OP. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=21344 Vijay Kamuju <infyquest(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |infyquest(a)gmail.com Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #12 from Vijay Kamuju <infyquest(a)gmail.com> --- This is now fixed in wine 9.12, no crash -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=21344 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #13 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 9.13. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla