[PATCH v2 6/6] dplayx: Check ENUMSESSIONSREPLY size before access.

20 Sep 2024

From: Anton Baskanov baskanov@gmail.com
---
 dlls/dplayx/dplay.c       |  1 +
 dlls/dplayx/name_server.c | 11 +++++++++++
 dlls/dplayx/name_server.h |  1 +
 3 files changed, 13 insertions(+)

diff --git a/dlls/dplayx/dplay.c b/dlls/dplayx/dplay.c
index d74b1a25bfe..811a22fab77 100644
--- a/dlls/dplayx/dplay.c
+++ b/dlls/dplayx/dplay.c
@@ -347,6 +347,7 @@ HRESULT DP_HandleMessage( IDirectPlayImpl *This, const void *lpcMessageBody,
       NS_AddRemoteComputerAsNameServer( lpcMessageHeader,
                                         This->dp2->spData.dwSPHeaderSize,
                                         lpcMessageBody,
+                                        dwMessageBodySize,
                                         This->dp2->lpNameServerData );
LeaveCriticalSection( &This->lock );
diff --git a/dlls/dplayx/name_server.c b/dlls/dplayx/name_server.c
index 4fabf64d32a..1342cb7b962 100644
--- a/dlls/dplayx/name_server.c
+++ b/dlls/dplayx/name_server.c
@@ -89,14 +89,25 @@ static DPQ_DECL_COMPARECB( cbUglyPig, GUID )
 void NS_AddRemoteComputerAsNameServer( LPCVOID                      lpcNSAddrHdr,
                                        DWORD                        dwHdrSize,
                                        LPCDPMSG_ENUMSESSIONSREPLY   lpcMsg,
+                                       DWORD                        msgSize,
                                        LPVOID                       lpNSInfo )
 {
   DWORD len;
   lpNSCache     lpCache = (lpNSCache)lpNSInfo;
   lpNSCacheData lpCacheNode;
+  DWORD maxNameLength;
+  DWORD nameLength;
TRACE( "%p, %p, %p\n", lpcNSAddrHdr, lpcMsg, lpNSInfo );
+  if ( msgSize < sizeof( DPMSG_ENUMSESSIONSREPLY ) + sizeof( WCHAR ) )
+    return;
+
+  maxNameLength = (msgSize - sizeof( DPMSG_ENUMSESSIONSREPLY )) / sizeof( WCHAR );
+  nameLength = wcsnlen( (WCHAR *) (lpcMsg + 1), maxNameLength );
+  if ( nameLength == maxNameLength )
+    return;
+
   /* See if we can find this session. If we can, remove it as it's a dup */
   DPQ_REMOVE_ENTRY_CB( lpCache->first, next, data->guidInstance, cbUglyPig,
                        lpcMsg->sd.guidInstance, lpCacheNode );
diff --git a/dlls/dplayx/name_server.h b/dlls/dplayx/name_server.h
index 70612ecf00f..b946e9e1fd9 100644
--- a/dlls/dplayx/name_server.h
+++ b/dlls/dplayx/name_server.h
@@ -32,6 +32,7 @@ void NS_SetLocalComputerAsNameServer( LPCDPSESSIONDESC2 lpsd, LPVOID lpNSInfo );
 void NS_AddRemoteComputerAsNameServer( LPCVOID lpNSAddrHdr,
                                        DWORD dwHdrSize,
                                        LPCDPMSG_ENUMSESSIONSREPLY lpcMsg,
+                                       DWORD msgSize,
                                        LPVOID lpNSInfo );
 LPVOID NS_GetNSAddr( LPVOID lpNSInfo );
 DWORD NS_GetNsMagic( LPVOID lpNSInfo );
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/6534

    

2025

2024

2023

2022

[PATCH v2 6/6] dplayx: Check ENUMSESSIONSREPLY size before access.