-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I was on holiday when you sent these patches, sorry for the late review.
Am 2014-12-13 um 18:06 schrieb Jonathan Vollebregt:
+static LSTATUS sane_path(const WCHAR *key) +{
- if (key[0] == '\' && key[1] == '\' && key[2] != '\')
return ERROR_NO_REMOTE;- return ERROR_SUCCESS;
+}
This adds (or rather extends) a possible out of bound array access.
Otherwise these patches look reasonable to me and worth review by others.
A general note on the error handling code for other reviewers: Native reg.exe has very limited error reporting. With a few exceptions it just prints a generic message like "ERROR: INVALID SYNTAX" or something similar.
I guess there are also some possible improvements on the output code as Bruno mentioned, but I think patch 3 is OK until (if ever) we have unified console output handling for all command line programs.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 2015-01-06 um 21:07 schrieb Stefan Dösinger:
Am 2014-12-13 um 18:06 schrieb Jonathan Vollebregt:
+static LSTATUS sane_path(const WCHAR *key) +{
- if (key[0] == '\' && key[1] == '\' && key[2] != '\')
return ERROR_NO_REMOTE;- return ERROR_SUCCESS;
+}
This adds (or rather extends) a possible out of bound array access.
Actually, never mind that, as discussed on IRC. If the string is too short key[0] or key[1] won't be '\'. Still it looks somewhat odd, but the next patch adds an explicit length check.
-
Stefan Dösinger