From: Stefan Dösinger stefan@codeweavers.com
Signed-off-by: Stefan Dösinger stefan@codeweavers.com
---
GetPrivateProfileStringW looks rather awkward to me, and we are dealing with external input here, so if there is a better way to handle this please let me know.
A theme description I copypasted out of the registry has 384 characters, so a larger array than MAX_PATH is needed to import it correctly. A maliciously crafted ini file could have any size. --- programs/winecfg/theme.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/programs/winecfg/theme.c b/programs/winecfg/theme.c index 9c8737caf64..2b3e447bda0 100644 --- a/programs/winecfg/theme.c +++ b/programs/winecfg/theme.c @@ -22,6 +22,7 @@ * */
+#include <assert.h> #include <stdarg.h> #include <stdlib.h> #include <stdio.h> @@ -554,15 +555,24 @@ static void set_color_from_theme(const WCHAR *keyName, COLORREF color)
static void do_parse_theme(WCHAR *file) { - WCHAR keyName[MAX_PATH], keyNameValue[MAX_PATH]; + WCHAR *keyName, keyNameValue[MAX_PATH]; + DWORD len, allocLen = 512; WCHAR *keyNamePtr = NULL; int red = 0, green = 0, blue = 0; COLORREF color;
- WINE_TRACE("%s\n", wine_dbgstr_w(file)); + keyName = malloc(sizeof(*keyName) * allocLen); + for (;;) + { + assert(keyName); + len = GetPrivateProfileStringW(L"Control Panel\Colors", NULL, NULL, keyName, + allocLen, file); + if (len < allocLen - 2) + break;
- GetPrivateProfileStringW(L"Control Panel\Colors", NULL, NULL, keyName, - MAX_PATH, file); + allocLen *= 2; + keyName = realloc(keyName, sizeof(*keyName) * allocLen); + }
keyNamePtr = keyName; while (*keyNamePtr!=0) { @@ -580,6 +590,7 @@ static void do_parse_theme(WCHAR *file) keyNamePtr+=lstrlenW(keyNamePtr); keyNamePtr++; } + free(keyName); }
static void on_theme_install(HWND dialog)