https://bugs.winehq.org/show_bug.cgi?id=46661
Bug ID: 46661 Summary: ISF_Desktop_fnGetDisplayNameOf function missing check for string variable This->sPathTarget before copy it Product: Wine Version: 4.0-rc7 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: shell32 Assignee: wine-bugs@winehq.org Reporter: ossecurity@iscas.ac.cn Distribution: ---
ISF_Desktop_fnGetDisplayNameOf function miss the check for string variable This->sPathTarget before copy it.
Malware(virus etc.) can leverage process injection techniques to hook this WINAPI function(ISF_Desktop_fnGetDisplayNameOf) and tampered the string variable This->sPathTarget which may cause "NULL pointer dereference" and "buffer overflow" in shell32.dll.
583:static HRESULT WINAPI ISF_Desktop_fnGetDisplayNameOf (IShellFolder2 * iface, 584: LPCITEMIDLIST pidl, DWORD dwFlags, LPSTRRET strRet) 585:{ 586: IDesktopFolderImpl *This = impl_from_IShellFolder2(iface); ... 596: pszPath = CoTaskMemAlloc((MAX_PATH +1) * sizeof(WCHAR)); ... 600: if (_ILIsDesktop (pidl)) 601: { 602: if ((GET_SHGDN_RELATION (dwFlags) == SHGDN_NORMAL) && 603: (GET_SHGDN_FOR (dwFlags) & SHGDN_FORPARSING)) 604: strcpyW(pszPath, This->sPathTarget);//** missing check before copy **
We find a lot of similar code but not sure about its seriousness yet. Any comments are helpful.