http://bugs.winehq.org/show_bug.cgi?id=21344
Summary: Buffer overflow in WCMD_run_program Product: Wine Version: 1.1.36 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: cmd AssignedTo: wine-bugs@winehq.org ReportedBy: dima@gmail.com
The WCMD_run_program function in wcmdmain.c copies pathposn into thisDir without checking the size:
/* Work on the first directory on the search path */ pos = strchrW(pathposn, ';'); if (pos) { memcpy(thisDir, pathposn, (pos-pathposn) * sizeof(WCHAR)); thisDir[(pos-pathposn)] = 0x00; pathposn = pos+1;
} else { strcpyW(thisDir, pathposn); pathposn = NULL; }
The size of pathposn can be up to MAXSTRING, while thisDir has size MAX_PATH.
To reproduce:
$ wine cmd /c 'Z:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\foo' err:seh:setup_exception_record stack overflow 2144 bytes in thread 0019 eip 7bc3ea3e esp 00230ad0 stack 0x230000-0x231000-0x330000
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #1 from Dima Ryazanov dima@gmail.com 2010-01-12 12:37:10 --- This also happens in completely legitimate cases - when the command has as a long argument list that contains backslashes.
http://bugs.winehq.org/show_bug.cgi?id=21344
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, testcase
http://bugs.winehq.org/show_bug.cgi?id=21344
Jason Edmeades us@edmeades.me.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |us@edmeades.me.uk
http://bugs.winehq.org/show_bug.cgi?id=21344
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |dank@kegel.com Ever Confirmed|0 |1
--- Comment #2 from Dan Kegel dank@kegel.com 2010-01-24 14:04:18 --- By the way, bug 13469 was also about buffer overflows. We should probably have a conformance/regression test that checks all of those examples, in addition to the one Dima gave. (Dima ran into this running a scons script, see bug 18346.)
Getting ambitious, we might want to write test cases to tickle every unchecked strcpyW/strcatW in wine's cmd.
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #3 from ericho921@gmail.com 2010-03-03 22:49:08 --- Created an attachment (id=26587) --> (http://bugs.winehq.org/attachment.cgi?id=26587) patch for fixing overflow in WCMD_run_program
http://bugs.winehq.org/show_bug.cgi?id=21344
Frédéric Delanoy frederic.delanoy@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |frederic.delanoy@gmail.com
--- Comment #4 from Frédéric Delanoy frederic.delanoy@gmail.com 2011-07-25 17:50:32 CDT --- (In reply to comment #3)
Created an attachment (id=26587)
--> (http://bugs.winehq.org/attachment.cgi?id=26587) [details]
patch for fixing overflow in WCMD_run_program
Patches should be sent to wine-patches mailing list. They won't be picked up from here.
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #5 from Frédéric Delanoy frederic.delanoy@gmail.com 2012-11-09 19:01:14 CST --- Still in 1.5.17
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #6 from Frédéric Delanoy frederic.delanoy@gmail.com 2013-06-07 07:49:24 CDT --- Still in wine-1.5.31-225-gba40509
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #7 from Jason Edmeades us@edmeades.me.uk 2013-06-11 17:06:15 CDT --- Note this seems to have been submitted but not sure on the feedback (http://marc.info/?a=126772329700001&r=1&w=2)
http://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #8 from Dan Kegel dank@kegel.com 2013-06-12 00:12:41 CDT --- If Eric Ho isn't around anymore, someone else probably needs to write their own fix for this from scratch and submit it. Alexandre frowns on reposting other people's patches.
https://bugs.winehq.org/show_bug.cgi?id=21344
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man@post.com
--- Comment #9 from super_man@post.com --- Still an issue 1.7.50
https://bugs.winehq.org/show_bug.cgi?id=21344
winetest@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |winetest@luukku.com
--- Comment #10 from winetest@luukku.com --- I saw similar patch being made at some bug.
the originl buffer was like this MAX_PATH;
Then the fix was like this MAX_PATH+ANOTHER_BUFFER;
And it prevented buffer running out too soon.
I think similar would work here.
https://bugs.winehq.org/show_bug.cgi?id=21344
--- Comment #11 from Gijs Vermeulen gijsvrm@gmail.com --- Still present with wine-8.9. I did have to remove the quotes from the example in the OP.
https://bugs.winehq.org/show_bug.cgi?id=21344
Vijay Kamuju infyquest@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |infyquest@gmail.com Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #12 from Vijay Kamuju infyquest@gmail.com --- This is now fixed in wine 9.12, no crash
https://bugs.winehq.org/show_bug.cgi?id=21344
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #13 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 9.13.