server: Fix buffer overrun in map_view handler.

Because of padding at the end of the struct, sizeof(*view) is greater than offsetof(struct memory_view, name[0]). Change the allocation to overallocate slightly instead of underallocating slightly.

server: Fix buffer overrun in map_view handler.
94d6e616 · Alex Henrie · Alexandre Julliard · 4aac4e7c · 94d6e616
Commit 94d6e616 authored Nov 30, 2022 by Alex Henrie Committed by Alexandre Julliard Feb 01, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

mapping.c server/mapping.c +1 -1

No files found.
--- a/server/mapping.c
+++ b/server/mapping.c
@@ -1212,7 +1212,7 @@ DECL_HANDLER(map_view)
    if (!req->mapping)  /* image mapping for a .so dll */
    {
        if (get_req_data_size() > sizeof(view->image)) namelen = get_req_data_size() - sizeof(view->image);
-        if (!(view = mem_alloc( offsetof( struct memory_view, name[namelen] )))) return;
+        if (!(view = mem_alloc( sizeof(struct memory_view) + namelen * sizeof(WCHAR) ))) return;
        memset( view, 0, sizeof(*view) );
        view->base    = req->base;
        view->size    = req->size;