Module: wine Branch: master Commit: 726acf0f4a0c71a0a12ad089b41d9ea1bd3e1d89 URL: http://source.winehq.org/git/wine.git/?a=commit;h=726acf0f4a0c71a0a12ad089b4...
Author: Juan Lang juan.lang@gmail.com Date: Sun Oct 16 13:07:05 2011 -0700
shell32: Check size of input parameters before copying to fixed length buffers.
---
dlls/shell32/shlexec.c | 34 +++++++++++++++++++++++++++++++++- 1 files changed, 33 insertions(+), 1 deletions(-)
diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c index 3f7a170..b25a04b 100644 --- a/dlls/shell32/shlexec.c +++ b/dlls/shell32/shlexec.c @@ -788,14 +788,25 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec WCHAR * exec; DWORD ddeInst = 0; DWORD tid; - DWORD resultLen; + DWORD resultLen, endkeyLen; HSZ hszApp, hszTopic; HCONV hConv; HDDEDATA hDdeData; unsigned ret = SE_ERR_NOASSOC; BOOL unicode = !(GetVersion() & 0x80000000);
+ if (strlenW(key) + 1 > sizeof(regkey) / sizeof(regkey[0])) + { + FIXME("input parameter %s larger than buffer\n", debugstr_w(key)); + return 2; + } strcpyW(regkey, key); + endkeyLen = sizeof(regkey) / sizeof(regkey[0]) - (endkey - regkey); + if (strlenW(wApplication) + 1 > endkeyLen) + { + FIXME("endkey %s overruns buffer\n", debugstr_w(wApplication)); + return 2; + } strcpyW(endkey, wApplication); applen = sizeof(app); if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, app, &applen) != ERROR_SUCCESS) @@ -809,6 +820,12 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec /* Get application command from start string and find filename of application */ if (*start == '"') { + if (strlenW(start + 1) + 1 > sizeof(command) / sizeof(command[0])) + { + FIXME("size of input parameter %s larger than buffer\n", + debugstr_w(start + 1)); + return 2; + } strcpyW(command, start+1); if ((ptr = strchrW(command, '"'))) *ptr = 0; @@ -835,6 +852,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec ERR("Unable to find application path for command %s\n", debugstr_w(start)); return ERROR_ACCESS_DENIED; } + if (strlenW(ptr) + 1 > sizeof(app) / sizeof(app[0])) + { + FIXME("size of found path %s larger than buffer\n", debugstr_w(ptr)); + return 2; + } strcpyW(app, ptr);
/* Remove extensions (including .so) */ @@ -848,6 +870,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec *ptr = 0; }
+ if (strlenW(wTopic) + 1 > endkeyLen) + { + FIXME("endkey %s overruns buffer\n", debugstr_w(wTopic)); + return 2; + } strcpyW(endkey, wTopic); topiclen = sizeof(topic); if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, topic, &topiclen) != ERROR_SUCCESS) @@ -890,6 +917,11 @@ static unsigned dde_connect(const WCHAR* key, const WCHAR* start, WCHAR* ddeexec SetLastError(ERROR_DDE_FAIL); return 30; /* whatever */ } + if (strlenW(wIfexec) + 1 > endkeyLen) + { + FIXME("endkey %s overruns buffer\n", debugstr_w(wIfexec)); + return 2; + } strcpyW(endkey, wIfexec); ifexeclen = sizeof(ifexec); if (RegQueryValueW(HKEY_CLASSES_ROOT, regkey, ifexec, &ifexeclen) == ERROR_SUCCESS)