On Thu, Sep 06, 2018 at 04:34:11PM +0300, Gabriel Ivăncescu wrote:
On Thu, Sep 6, 2018 at 1:24 PM, Huw Davies huw@codeweavers.com wrote:
Do we have an app that actually passes crazy format strings? What we mainly care about is protecting against crazy user input strings, not app provided strings, so handle the alloc failure by all means, but I'm not sure the rest is really useful.
Yes it can happen because it can read it from the registry. The app can only specify a registry path, and reads whatever the format is from there. But obviously the value in the registry can be written to by any application. Which, IMO, is trivially exploitable. So the application itself doesn't have to be malicious or crazy for this to happen; any other application messing up that registry value can do it.
Also note that it's mostly about passing it 3 times (hwndText), the rest is already required even for valid strings like %12s which can be larger than the string itself (or other such format complications, I don't really want to make a printf parser...). I don't think it's a big deal to just pass it 3 times to be safe...
What does Windows do if it's passed %12s for example?
Huw.