Fixes bug#40742
When parsing a command, after the first '/' we store the characters away in quals. The command itself can be MAXSTRING in bytes, but the quals was limited to MAX_PATH. This is incorrect, as you can provide very long qualifiers as well. Expand the space to allow the maximum size possible.
According to the bug, this can be triggered causing a trap - I tried hard to get a trap, unsuccessfully, but I was able to prove that the quals was being filled to a size far greater than the allocated space, verifying this problem was valid.
The patch itself was originally attached to bug 40742 by 'Brian' but was never submitted. I've remade the patch (not that you can tell, as it ends up identical) and verified it is valid. Not sure how to give credit to the original author in this case, but adding my sign-off.
Signed-off-by: Jason Edmeades us@edmeades.me.uk --- programs/cmd/wcmd.h | 2 +- programs/cmd/wcmdmain.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/programs/cmd/wcmd.h b/programs/cmd/wcmd.h index d4d97a0067..8d6eb6b48e 100644 --- a/programs/cmd/wcmd.h +++ b/programs/cmd/wcmd.h @@ -204,7 +204,7 @@ typedef struct _FOR_CONTEXT { * (uppercased and concatenated) and parameters entered, with environment * variables and batch parameters substitution already done. */ -extern WCHAR quals[MAX_PATH], param1[MAXSTRING], param2[MAXSTRING]; +extern WCHAR quals[MAXSTRING], param1[MAXSTRING], param2[MAXSTRING]; extern DWORD errorlevel; extern BATCH_CONTEXT *context; extern FOR_CONTEXT forloopcontext; diff --git a/programs/cmd/wcmdmain.c b/programs/cmd/wcmdmain.c index 0d02f1f388..8fe2d574e5 100644 --- a/programs/cmd/wcmdmain.c +++ b/programs/cmd/wcmdmain.c @@ -38,7 +38,7 @@ extern struct env_stack *pushd_directories;
BATCH_CONTEXT *context = NULL; DWORD errorlevel; -WCHAR quals[MAX_PATH], param1[MAXSTRING], param2[MAXSTRING]; +WCHAR quals[MAXSTRING], param1[MAXSTRING], param2[MAXSTRING]; BOOL interactive; FOR_CONTEXT forloopcontext; /* The 'for' loop context */ BOOL delayedsubst = FALSE; /* The current delayed substitution setting */