Paul Gofman : shell32: Avoid stack corruption with long name in SHELL_TryAppPathW(). - wine-commits

29 Sep 2023

Module: wine
Branch: master
Commit: f1c57f06d66d61c423c7b842cce3368817663c51
URL:    https://gitlab.winehq.org/wine/wine/-/commit/f1c57f06d66d61c423c7b842cce3368...
Author: Paul Gofman pgofman@codeweavers.com
Date:   Thu Sep 28 19:29:03 2023 -0600
shell32: Avoid stack corruption with long name in SHELL_TryAppPathW().
---
dlls/shell32/shlexec.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c
index ae61c923037..4b943d69637 100644
--- a/dlls/shell32/shlexec.c
+++ b/dlls/shell32/shlexec.c
@@ -428,8 +428,14 @@ static BOOL SHELL_TryAppPathW( LPCWSTR szName, LPWSTR lpResult, WCHAR **env)
     BOOL found = FALSE;
if (env) *env = NULL;
-    lstrcpyW(buffer, L"Software\Microsoft\Windows\CurrentVersion\App Paths\");
-    lstrcatW(buffer, szName);
+    wcscpy(buffer, L"Software\Microsoft\Windows\CurrentVersion\App Paths\");
+    if (wcslen(buffer) + wcslen(szName) + 1 > ARRAY_SIZE(buffer))
+    {
+        WARN("Name is too big.\n");
+        return FALSE;
+    }
+
+    wcscat(buffer, szName);
     res = RegOpenKeyExW(HKEY_LOCAL_MACHINE, buffer, 0, KEY_READ, &hkApp);
     if (res) goto end;

    