This is especially important since it can be read from the registry, so it's trivial to abuse this from other applications if one application makes use of it.
Signed-off-by: Gabriel Ivăncescu gabrielopcode@gmail.com --- dlls/shell32/autocomplete.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
diff --git a/dlls/shell32/autocomplete.c b/dlls/shell32/autocomplete.c index ec91474..3d3ec57 100644 --- a/dlls/shell32/autocomplete.c +++ b/dlls/shell32/autocomplete.c @@ -557,6 +557,27 @@ static HRESULT WINAPI IAutoComplete2_fnInit( memcpy(This->quickComplete, pwszQuickComplete, len * sizeof(WCHAR)); }
+ /* Guard against more than one format arguments since that leads to either a crash + or leaking stack data out, especially since it can be read from the registry */ + if (This->quickComplete) { + WCHAR *qc = This->quickComplete; + BOOL found = FALSE; + while ((qc = strchrW(qc, '%')) != NULL) + { + if (qc[1] == '%') /* %% is not an arg */ + qc++; + else { + if (found) { + heap_free(This->quickComplete); + This->quickComplete = NULL; + break; + } + found = TRUE; + } + qc++; + } + } + return S_OK; }