From: Spencer Wallace <spencerwallace@esri.com> --- programs/cmd/tests/test_cmdline.cmd | 6 ++---- programs/cmd/wcmdmain.c | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/programs/cmd/tests/test_cmdline.cmd b/programs/cmd/tests/test_cmdline.cmd index 1c657b2ef2f..10fc46bf60b 100644 --- a/programs/cmd/tests/test_cmdline.cmd +++ b/programs/cmd/tests/test_cmdline.cmd @@ -65,14 +65,12 @@ echo errorlevel: %ERRORLEVEL% echo --- Test 21 rem test cmd.exe /c with absolute path including long directory + executable containing a space, exceeding MAX_PATH -rem crashes, returns 0xc0000005 -rem cmd.exe /c "Z:\foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar\foo bar.bat" >nul 2>nul +cmd.exe /c "Z:\foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar\foo bar.bat" >nul 2>nul echo errorlevel: %ERRORLEVEL% echo --- Test 22 rem test cmd.exe /c with relative path including long directory + executable containing a space, exceeding MAX_PATH -rem crashes, returns 0xc0000005 -rem cmd.exe /c "foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar\foo bar.bat" >nul 2>nul +cmd.exe /c "foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar\foo bar.bat" >nul 2>nul echo errorlevel: %ERRORLEVEL% rem Directories are ignored when searching for executable files diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c index 4aec2e882e9..16fb900f917 100644 --- a/programs/cmd/wcmdmain.c +++ b/programs/cmd/wcmdmain.c @@ -2009,7 +2009,7 @@ static RETURN_CODE search_command(WCHAR *command, struct search_command *sc, BOO if (len == 0 || len >= ARRAY_SIZE(pathtosearch) - 2) wcscpy(pathtosearch, L"."); sc->has_extension = wcschr(firstParam, L'.') != NULL; - if (wcslen(firstParam) >= MAX_PATH) + if (wcslen(firstParam) >= ARRAY_SIZE(stemofsearch)) { WCMD_output_asis_stderr(WCMD_LoadMessage(WCMD_LINETOOLONG)); return ERROR_INVALID_FUNCTION; @@ -2020,12 +2020,19 @@ static RETURN_CODE search_command(WCHAR *command, struct search_command *sc, BOO } else { + WCHAR* stem; /* Convert eg. ..\fred to include a directory by removing file part */ if (!WCMD_get_fullpath(firstParam, ARRAY_SIZE(pathtosearch), pathtosearch, NULL)) return ERROR_INVALID_FUNCTION; lastSlash = wcsrchr(pathtosearch, L'\\'); - sc->has_extension = wcschr(lastSlash ? lastSlash + 1 : firstParam, L'.') != NULL; - wcscpy(stemofsearch, lastSlash ? lastSlash + 1 : firstParam); + stem = lastSlash ? lastSlash + 1 : firstParam; + if (wcslen(stem) >= ARRAY_SIZE(stemofsearch)) + { + WCMD_output_asis_stderr(WCMD_LoadMessage(WCMD_LINETOOLONG)); + return ERROR_INVALID_FUNCTION; + } + sc->has_extension = wcschr(stem, L'.') != NULL; + wcscpy(stemofsearch, stem); /* Reduce pathtosearch to a path with trailing '\' to support c:\a.bat and c:\windows\a.bat syntax */ @@ -2048,6 +2055,8 @@ static RETURN_CODE search_command(WCHAR *command, struct search_command *sc, BOO if (sc->has_path) { + if (wcslen(pathposn) >= ARRAY_SIZE(sc->path)) + return ERROR_INVALID_FUNCTION; wcscpy(sc->path, pathposn); pathposn = NULL; } @@ -2064,12 +2073,16 @@ static RETURN_CODE search_command(WCHAR *command, struct search_command *sc, BOO if (*pos) /* Reached semicolon */ { + if ((pos - pathposn) >= ARRAY_SIZE(sc->path)) + return ERROR_INVALID_FUNCTION; memcpy(sc->path, pathposn, (pos-pathposn) * sizeof(WCHAR)); sc->path[(pos-pathposn)] = 0x00; pathposn = pos+1; } else /* Reached string end */ { + if (wcslen(pathposn) >= ARRAY_SIZE(sc->path)) + return ERROR_INVALID_FUNCTION; wcscpy(sc->path, pathposn); pathposn = NULL; } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10629