[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Re: [resend] fusion: Avoid buffer overflow in enum_gac_assemblies.
From:       Alexandre Julliard <julliard () winehq ! org>
Date:       2016-11-29 20:35:27
Message-ID: 87wpfmowhc.fsf () winehq ! org
[Download RAW message or body]

Gerald Pfeifer <gerald@pfeifer.com> writes:

> [ Marvin indicated testing went fine, and I did not see any feedback
>   for two weeks. Only the description below has changed a little. ]
>
> In enum_gac_assemblies we have the following
>
>     sprintf(buf, ", Version=%s, Culture=%s, PublicKeyToken=%s",
>             ffd.cFileName, culture, ptr);
>
> culture is declared as char[MAX_PATH], and WIN32_FIND_DATAA.cFileName 
> is CHAR[260], so a mere size of MAX_PATH for the output buffer buf is
> not sufficient.
>
> (We need to double sizeof(ffd.cFileName) since ptr also points
> into it.)

They all point into the same path, so the total size is not going to
exceed MAX_PATH (modulo the additionally printed chars). And it doesn't
make sense to fix this buffer but not the other ones, you are just
moving the bug.

-- 
Alexandre Julliard
julliard@winehq.org



[prev in list] [next in list] [prev in thread] [next in thread]