[PATCH 2/3] kernel32: Add structure size checks to CreateActCtxA().

From: Dmitry Timoshkov dmitry@baikal.ru

Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kernel32/process.c | 38 +++++++++++++++++++++++++++++++++++- dlls/kernel32/tests/actctx.c | 2 -- 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c index e9e18925911..a61bb826401 100644 --- a/dlls/kernel32/process.c +++ b/dlls/kernel32/process.c @@ -422,7 +422,7 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx )

TRACE("%p %08lx\n", actctx, actctx ? actctx->dwFlags : 0);

- if (!actctx || actctx->cbSize != sizeof(*actctx)) + if (!actctx || actctx->cbSize < FIELD_OFFSET(ACTCTXA, wProcessorArchitecture)) { SetLastError(ERROR_INVALID_PARAMETER); return INVALID_HANDLE_VALUE; @@ -440,11 +440,30 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx ) actw.lpSource = src;

if (actw.dwFlags & ACTCTX_FLAG_PROCESSOR_ARCHITECTURE_VALID) + { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, wProcessorArchitecture) + sizeof(actctx->wProcessorArchitecture)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } actw.wProcessorArchitecture = actctx->wProcessorArchitecture; + } if (actw.dwFlags & ACTCTX_FLAG_LANGID_VALID) + { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, wLangId) + sizeof(actctx->wLangId)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } actw.wLangId = actctx->wLangId; + } if (actw.dwFlags & ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID) { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, lpAssemblyDirectory) + sizeof(actctx->lpAssemblyDirectory)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } len = MultiByteToWideChar(CP_ACP, 0, actctx->lpAssemblyDirectory, -1, NULL, 0); assdir = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)); if (!assdir) goto done; @@ -453,6 +472,11 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx ) } if (actw.dwFlags & ACTCTX_FLAG_RESOURCE_NAME_VALID) { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, lpResourceName) + sizeof(actctx->lpResourceName)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } if ((ULONG_PTR)actctx->lpResourceName >> 16) { len = MultiByteToWideChar(CP_ACP, 0, actctx->lpResourceName, -1, NULL, 0); @@ -465,6 +489,11 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx ) } if (actw.dwFlags & ACTCTX_FLAG_APPLICATION_NAME_VALID) { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, lpApplicationName) + sizeof(actctx->lpApplicationName)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } len = MultiByteToWideChar(CP_ACP, 0, actctx->lpApplicationName, -1, NULL, 0); appname = HeapAlloc(GetProcessHeap(), 0, len * sizeof(WCHAR)); if (!appname) goto done; @@ -472,7 +501,14 @@ HANDLE WINAPI DECLSPEC_HOTPATCH CreateActCtxA( const ACTCTXA *actctx ) actw.lpApplicationName = appname; } if (actw.dwFlags & ACTCTX_FLAG_HMODULE_VALID) + { + if (actctx->cbSize < FIELD_OFFSET(ACTCTXA, hModule) + sizeof(actctx->hModule)) + { + SetLastError(ERROR_INVALID_PARAMETER); + goto done; + } actw.hModule = actctx->hModule; + }

ret = CreateActCtxW(&actw);

diff --git a/dlls/kernel32/tests/actctx.c b/dlls/kernel32/tests/actctx.c index 61553703589..98ca6c3cd76 100644 --- a/dlls/kernel32/tests/actctx.c +++ b/dlls/kernel32/tests/actctx.c @@ -2878,7 +2878,6 @@ static void test_CreateActCtx(void) handle = CreateActCtxA(&actctx); if (!test[i].error) { - todo_wine ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError()); ReleaseActCtx(handle); } @@ -2893,7 +2892,6 @@ static void test_CreateActCtx(void) actctx.lpSource = source; /* source without hModule must point to valid PE */ SetLastError(0xdeadbeef); handle = CreateActCtxA(&actctx); - todo_wine_if(i != 4) ok(handle != INVALID_HANDLE_VALUE, "CreateActCtx error %lu\n", GetLastError()); ReleaseActCtx(handle);