[PATCH 3/3] kernel32: Add structure size checks to RtlCreateActivationContext().

14 Sep 2023

From: Dmitry Timoshkov dmitry@baikal.ru
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru
---
 dlls/kernel32/tests/actctx.c |  2 --
 dlls/ntdll/actctx.c          | 56 ++++++++++++++++++++++++++++++++----
 2 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/dlls/kernel32/tests/actctx.c b/dlls/kernel32/tests/actctx.c
index 98ca6c3cd76..585f72b9a75 100644
--- a/dlls/kernel32/tests/actctx.c
+++ b/dlls/kernel32/tests/actctx.c
@@ -2836,7 +2836,6 @@ static void test_CreateActCtx(void)
         handle = CreateActCtxW(&ctxW);
         if (!test[i].error)
         {
-            todo_wine
             ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError());
             ReleaseActCtx(handle);
         }
@@ -2851,7 +2850,6 @@ static void test_CreateActCtx(void)
             ctxW.lpSource = sourceW; /* source without hModule must point to valid PE */
         SetLastError(0xdeadbeef);
         handle = CreateActCtxW(&ctxW);
-        todo_wine_if(i != 4)
         ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError());
         ReleaseActCtx(handle);
diff --git a/dlls/ntdll/actctx.c b/dlls/ntdll/actctx.c
index 9f2c1d54720..8a9d8c9ae23 100644
--- a/dlls/ntdll/actctx.c
+++ b/dlls/ntdll/actctx.c
@@ -5251,12 +5251,15 @@ NTSTATUS WINAPI RtlCreateActivationContext( HANDLE *handle, const void *ptr )
TRACE("%p %08lx\n", pActCtx, pActCtx ? pActCtx->dwFlags : 0);
-    if (!pActCtx || pActCtx->cbSize < sizeof(*pActCtx) ||
+    if (!pActCtx || pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, wProcessorArchitecture) ||
         (pActCtx->dwFlags & ~ACTCTX_FLAGS_ALL))
         return STATUS_INVALID_PARAMETER;
-    if ((pActCtx->dwFlags & ACTCTX_FLAG_RESOURCE_NAME_VALID) && !pActCtx->lpResourceName)
-        return STATUS_INVALID_PARAMETER;
+    if (pActCtx->dwFlags & ACTCTX_FLAG_RESOURCE_NAME_VALID)
+    {
+        if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, lpResourceName) + sizeof(pActCtx->lpResourceName) || !pActCtx->lpResourceName)
+            return STATUS_INVALID_PARAMETER;
+    }
if (!(actctx = RtlAllocateHeap( GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(*actctx) )))
         return STATUS_NO_MEMORY;
@@ -5268,6 +5271,11 @@ NTSTATUS WINAPI RtlCreateActivationContext( HANDLE *handle, const void *ptr )
     actctx->appdir.type = ACTIVATION_CONTEXT_PATH_TYPE_WIN32_FILE;
     if (pActCtx->dwFlags & ACTCTX_FLAG_APPLICATION_NAME_VALID)
     {
+        if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, lpApplicationName) + sizeof(pActCtx->lpApplicationName))
+        {
+            status = STATUS_INVALID_PARAMETER;
+            goto error;
+        }
         if (!(actctx->appdir.info = strdupW( pActCtx->lpApplicationName ))) goto error;
     }
     else
@@ -5276,7 +5284,15 @@ NTSTATUS WINAPI RtlCreateActivationContext( HANDLE *handle, const void *ptr )
         WCHAR *p;
         HMODULE module;
-        if (pActCtx->dwFlags & ACTCTX_FLAG_HMODULE_VALID) module = pActCtx->hModule;
+        if (pActCtx->dwFlags & ACTCTX_FLAG_HMODULE_VALID)
+        {
+            if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, hModule) + sizeof(pActCtx->hModule))
+            {
+                status = STATUS_INVALID_PARAMETER;
+                goto error;
+            }
+            module = pActCtx->hModule;
+        }
         else module = NtCurrentTeb()->Peb->ImageBaseAddress;
if ((status = get_module_filename( module, &dir, 0 ))) goto error;
@@ -5298,6 +5314,12 @@ NTSTATUS WINAPI RtlCreateActivationContext( HANDLE *handle, const void *ptr )
         {
             DWORD dir_len, source_len;
+            if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, lpAssemblyDirectory) + sizeof(pActCtx->lpAssemblyDirectory))
+            {
+                status = STATUS_INVALID_PARAMETER;
+                goto error;
+            }
+
             dir_len = wcslen(pActCtx->lpAssemblyDirectory);
             source_len = wcslen(pActCtx->lpSource);
             if (!(source = RtlAllocateHeap( GetProcessHeap(), 0, (dir_len+source_len+2)*sizeof(WCHAR))))
@@ -5331,11 +5353,33 @@ NTSTATUS WINAPI RtlCreateActivationContext( HANDLE *handle, const void *ptr )
     acl.num_dependencies = 0;
     acl.allocated_dependencies = 0;
-    if (pActCtx->dwFlags & ACTCTX_FLAG_LANGID_VALID) lang = pActCtx->wLangId;
-    if (pActCtx->dwFlags & ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID) directory = pActCtx->lpAssemblyDirectory;
+    if (pActCtx->dwFlags & ACTCTX_FLAG_LANGID_VALID)
+    {
+        if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, wLangId) + sizeof(pActCtx->wLangId))
+        {
+            status = STATUS_INVALID_PARAMETER;
+            goto error;
+        }
+        lang = pActCtx->wLangId;
+    }
+    if (pActCtx->dwFlags & ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID)
+    {
+        if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, lpAssemblyDirectory) + sizeof(pActCtx->lpAssemblyDirectory))
+        {
+            status = STATUS_INVALID_PARAMETER;
+            goto error;
+        }
+        directory = pActCtx->lpAssemblyDirectory;
+    }
if (pActCtx->dwFlags & ACTCTX_FLAG_RESOURCE_NAME_VALID)
     {
+        if (pActCtx->cbSize < FIELD_OFFSET(ACTCTXW, lpResourceName) + sizeof(pActCtx->lpResourceName))
+        {
+            status = STATUS_INVALID_PARAMETER;
+            goto error;
+        }
+
         /* if we have a resource it's a PE file */
         if (pActCtx->dwFlags & ACTCTX_FLAG_HMODULE_VALID)
         {
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/3839

    

2025

2024

2023

2022

[PATCH 3/3] kernel32: Add structure size checks to RtlCreateActivationContext().