On Thu, Sep 6, 2018 at 1:24 PM, Huw Davies huw@codeweavers.com wrote:
Do we have an app that actually passes crazy format strings? What we mainly care about is protecting against crazy user input strings, not app provided strings, so handle the alloc failure by all means, but I'm not sure the rest is really useful.
Yes it can happen because it can read it from the registry. The app can only specify a registry path, and reads whatever the format is from there. But obviously the value in the registry can be written to by any application. Which, IMO, is trivially exploitable. So the application itself doesn't have to be malicious or crazy for this to happen; any other application messing up that registry value can do it.
Also note that it's mostly about passing it 3 times (hwndText), the rest is already required even for valid strings like %12s which can be larger than the string itself (or other such format complications, I don't really want to make a printf parser...). I don't think it's a big deal to just pass it 3 times to be safe...
You could just return on heap_alloc failure, that would keep the patch smaller.
Again, a break on alloc failure would keep things simpler.
Okay, will do.