http://bugs.winehq.org/show_bug.cgi?id=10095

Summary: buffer overflow in RtlGetFullPathName_U Product: Wine Version: 0.9.47. Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P1 Component: wine-loader AssignedTo: wine-bugs@winehq.org ReportedBy: mbuilov@gmail.com

Please review wine/dlls/ntdll/path.c, RtlGetFullPathName_U():

/****************************************************************** * RtlGetFullPathName_U (NTDLL.@) * * Returns the number of bytes written to buffer (not including the * terminating NULL) if the function succeeds, or the required number of bytes * (including the terminating NULL) if the buffer is too small. * * file_part will point to the filename part inside buffer (except if we use * DOS device name, in which case file_in_buf is NULL) * */ DWORD WINAPI RtlGetFullPathName_U(const WCHAR* name, ULONG size, WCHAR* buffer, WCHAR** file_part) { ....skipped...... reqsize = get_full_path_helper(name, buffer, size); if (!reqsize) return 0; if (reqsize > size) { LPWSTR tmp = RtlAllocateHeap(GetProcessHeap(), 0, reqsize); reqsize = get_full_path_helper(name, tmp, reqsize); if (reqsize > size) /* it may have worked the second time */ { RtlFreeHeap(GetProcessHeap(), 0, tmp); return reqsize + sizeof(WCHAR); } memcpy( buffer, tmp, reqsize + sizeof(WCHAR) ); RtlFreeHeap(GetProcessHeap(), 0, tmp); }

last memcpy() will try to copy (reqsize + sizeof(WCHAR)) bytes into the buffer of (size) bytes, but here (reqsize) may be equal to (size).