http://bugs.winehq.org/show_bug.cgi?id=21344
Summary: Buffer overflow in WCMD_run_program Product: Wine Version: 1.1.36 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: cmd AssignedTo: wine-bugs@winehq.org ReportedBy: dima@gmail.com
The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir without checking the size:
/* Work on the first directory on the search path */ pos = strchrW(pathposn, ';'); if (pos) { memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR)); thisDir[(pos-pathposn)] = 0x00; pathposn = pos+1;
} else { strcpyW(thisDir, pathposn); pathposn = NULL; }
The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH.
To reproduce:
$ wine cmd /c 'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo' err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip 7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000