[prev in list] [next in list] [prev in thread] [next in thread]
List: wine-devel
Subject: Re: [resend] fusion: Avoid buffer overflow in enum_gac_assemblies.
From: Alexandre Julliard <julliard () winehq ! org>
Date: 2016-11-29 20:35:27
Message-ID: 87wpfmowhc.fsf () winehq ! org
[Download RAW message or body]
Gerald Pfeifer <gerald@pfeifer.com> writes:
> [ Marvin indicated testing went fine, and I did not see any feedback
> for two weeks. Only the description below has changed a little. ]
>
> In enum_gac_assemblies we have the following
>
> sprintf(buf, ", Version=%s, Culture=%s, PublicKeyToken=%s",
> ffd.cFileName, culture, ptr);
>
> culture is declared as char[MAX_PATH], and WIN32_FIND_DATAA.cFileName
> is CHAR[260], so a mere size of MAX_PATH for the output buffer buf is
> not sufficient.
>
> (We need to double sizeof(ffd.cFileName) since ptr also points
> into it.)
They all point into the same path, so the total size is not going to
exceed MAX_PATH (modulo the additionally printed chars). And it doesn't
make sense to fix this buffer but not the other ones, you are just
moving the bug.
--
Alexandre Julliard
julliard@winehq.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic