Module: wine Branch: master Commit: 94d6e616e2cbade844fdc2306514690bf629f675 URL: https://gitlab.winehq.org/wine/wine/-/commit/94d6e616e2cbade844fdc2306514690...
Author: Alex Henrie alexhenrie24@gmail.com Date: Wed Nov 30 23:34:58 2022 -0700
server: Fix buffer overrun in map_view handler.
Because of padding at the end of the struct, sizeof(*view) is greater than offsetof(struct memory_view, name[0]). Change the allocation to overallocate slightly instead of underallocating slightly.
---
server/mapping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/mapping.c b/server/mapping.c index 8d4332d240f..ed81a718bbe 100644 --- a/server/mapping.c +++ b/server/mapping.c @@ -1212,7 +1212,7 @@ DECL_HANDLER(map_view) if (!req->mapping) /* image mapping for a .so dll */ { if (get_req_data_size() > sizeof(view->image)) namelen = get_req_data_size() - sizeof(view->image); - if (!(view = mem_alloc( offsetof( struct memory_view, name[namelen] )))) return; + if (!(view = mem_alloc( sizeof(struct memory_view) + namelen * sizeof(WCHAR) ))) return; memset( view, 0, sizeof(*view) ); view->base = req->base; view->size = req->size;
-
Alexandre Julliard