[PATCH 0/1] MR11049: krnl386: Check name length in GetProcAddress16.
If GetProcAddress16 is called with a name longer than 255 characters, the strcpy in NE_GetOrdinal would overflow. I wrote a small test program to confirm that Windows does not crash if 16-bit GetProcAddress is called with an impossibly long function name: ```c /* Compile with Open Watcom: owcc proc16.c -bwindows -o proc16.exe */ #include <windows.h> #include <string.h> #include <stdio.h> int main(void) { char name[300]; HMODULE gdi = LoadLibrary("gdi.exe"); memset(name, 'A', sizeof(name) - 1); name[sizeof(name) - 1] = 0; printf("%p\n", GetProcAddress(gdi, name)); return 0; } ``` The bug was identified by Cursor, which is a mix of LLM models. I wrote the fix myself. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/11049
From: Alex Henrie <alexhenrie24@gmail.com> If GetProcAddress16 is called with a name longer than 255 characters, the strcpy in NE_GetOrdinal would overflow. --- dlls/krnl386.exe16/ne_module.c | 1 + 1 file changed, 1 insertion(+) diff --git a/dlls/krnl386.exe16/ne_module.c b/dlls/krnl386.exe16/ne_module.c index bfb3263f9e4..8653db0be17 100644 --- a/dlls/krnl386.exe16/ne_module.c +++ b/dlls/krnl386.exe16/ne_module.c @@ -1663,6 +1663,7 @@ FARPROC16 WINAPI GetProcAddress16( HMODULE16 hModule, LPCSTR name ) if (HIWORD(name) != 0) { + if (strlen(name) > 255) return NULL; ordinal = NE_GetOrdinal( hModule, name ); TRACE("%04x '%s'\n", hModule, name ); } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/11049
participants (1)
-
Alex Henrie -
Alex Henrie (@alexhenrie)