Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-cw
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-cw
Commits
c1dddbea
Commit
c1dddbea
authored
Jul 10, 2002
by
Alexandre Julliard
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
RegEnumValue[AW] need to update the data size on buffer overflow
(spotted by Massimo <max@veneto.com>).
parent
1d8f92c8
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
63 additions
and
48 deletions
+63
-48
registry.c
dlls/advapi32/registry.c
+33
-25
registry.c
memory/registry.c
+30
-23
No files found.
dlls/advapi32/registry.c
View file @
c1dddbea
...
...
@@ -1076,7 +1076,7 @@ DWORD WINAPI RegEnumValueW( HKEY hkey, DWORD index, LPWSTR value, LPDWORD val_co
if
(
info
->
NameLength
/
sizeof
(
WCHAR
)
>=
*
val_count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
goto
overflow
;
}
memcpy
(
value
,
info
->
Name
,
info
->
NameLength
);
*
val_count
=
info
->
NameLength
/
sizeof
(
WCHAR
);
...
...
@@ -1088,7 +1088,7 @@ DWORD WINAPI RegEnumValueW( HKEY hkey, DWORD index, LPWSTR value, LPDWORD val_co
if
(
total_size
-
info
->
DataOffset
>
*
count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
goto
overflow
;
}
memcpy
(
data
,
buf_ptr
+
info
->
DataOffset
,
total_size
-
info
->
DataOffset
);
if
(
total_size
-
info
->
DataOffset
<=
*
count
-
sizeof
(
WCHAR
)
&&
is_string
(
info
->
Type
))
...
...
@@ -1102,6 +1102,7 @@ DWORD WINAPI RegEnumValueW( HKEY hkey, DWORD index, LPWSTR value, LPDWORD val_co
}
else
status
=
STATUS_SUCCESS
;
overflow:
if
(
type
)
*
type
=
info
->
Type
;
if
(
count
)
*
count
=
info
->
DataLength
;
...
...
@@ -1154,21 +1155,6 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
if
(
status
)
goto
done
;
if
(
value
)
{
DWORD
len
;
RtlUnicodeToMultiByteSize
(
&
len
,
info
->
Name
,
info
->
NameLength
);
if
(
len
>=
*
val_count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
}
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
*
val_count
=
len
;
}
if
(
is_string
(
info
->
Type
))
{
DWORD
len
;
...
...
@@ -1176,16 +1162,15 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
total_size
-
info
->
DataOffset
);
if
(
data
&&
len
)
{
if
(
len
>
*
count
)
if
(
len
>
*
count
)
status
=
STATUS_BUFFER_OVERFLOW
;
else
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
RtlUnicodeToMultiByteN
(
data
,
len
,
NULL
,
(
WCHAR
*
)(
buf_ptr
+
info
->
DataOffset
),
total_size
-
info
->
DataOffset
);
/* if the type is REG_SZ and data is not 0-terminated
* and there is enough space in the buffer NT appends a \0 */
if
(
len
<
*
count
&&
data
[
len
-
1
])
data
[
len
]
=
0
;
}
RtlUnicodeToMultiByteN
(
data
,
len
,
NULL
,
(
WCHAR
*
)(
buf_ptr
+
info
->
DataOffset
),
total_size
-
info
->
DataOffset
);
/* if the type is REG_SZ and data is not 0-terminated
* and there is enough space in the buffer NT appends a \0 */
if
(
len
<
*
count
&&
data
[
len
-
1
])
data
[
len
]
=
0
;
}
info
->
DataLength
=
len
;
}
...
...
@@ -1194,6 +1179,29 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
if
(
total_size
-
info
->
DataOffset
>
*
count
)
status
=
STATUS_BUFFER_OVERFLOW
;
else
memcpy
(
data
,
buf_ptr
+
info
->
DataOffset
,
total_size
-
info
->
DataOffset
);
}
if
(
value
&&
!
status
)
{
DWORD
len
;
RtlUnicodeToMultiByteSize
(
&
len
,
info
->
Name
,
info
->
NameLength
);
if
(
len
>=
*
val_count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
if
(
*
val_count
)
{
len
=
*
val_count
-
1
;
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
}
}
else
{
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
*
val_count
=
len
;
}
}
}
else
status
=
STATUS_SUCCESS
;
...
...
memory/registry.c
View file @
c1dddbea
...
...
@@ -533,21 +533,6 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
if
(
status
)
goto
done
;
if
(
value
)
{
DWORD
len
;
RtlUnicodeToMultiByteSize
(
&
len
,
info
->
Name
,
info
->
NameLength
);
if
(
len
>=
*
val_count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
}
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
*
val_count
=
len
;
}
if
(
is_string
(
info
->
Type
))
{
DWORD
len
;
...
...
@@ -555,16 +540,15 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
total_size
-
info
->
DataOffset
);
if
(
data
&&
len
)
{
if
(
len
>
*
count
)
if
(
len
>
*
count
)
status
=
STATUS_BUFFER_OVERFLOW
;
else
{
status
=
STATUS_BUFFER_OVERFLOW
;
goto
done
;
RtlUnicodeToMultiByteN
(
data
,
len
,
NULL
,
(
WCHAR
*
)(
buf_ptr
+
info
->
DataOffset
),
total_size
-
info
->
DataOffset
);
/* if the type is REG_SZ and data is not 0-terminated
* and there is enough space in the buffer NT appends a \0 */
if
(
len
<
*
count
&&
data
[
len
-
1
])
data
[
len
]
=
0
;
}
RtlUnicodeToMultiByteN
(
data
,
len
,
NULL
,
(
WCHAR
*
)(
buf_ptr
+
info
->
DataOffset
),
total_size
-
info
->
DataOffset
);
/* if the type is REG_SZ and data is not 0-terminated
* and there is enough space in the buffer NT appends a \0 */
if
(
len
<
*
count
&&
data
[
len
-
1
])
data
[
len
]
=
0
;
}
info
->
DataLength
=
len
;
}
...
...
@@ -573,6 +557,29 @@ DWORD WINAPI RegEnumValueA( HKEY hkey, DWORD index, LPSTR value, LPDWORD val_cou
if
(
total_size
-
info
->
DataOffset
>
*
count
)
status
=
STATUS_BUFFER_OVERFLOW
;
else
memcpy
(
data
,
buf_ptr
+
info
->
DataOffset
,
total_size
-
info
->
DataOffset
);
}
if
(
value
&&
!
status
)
{
DWORD
len
;
RtlUnicodeToMultiByteSize
(
&
len
,
info
->
Name
,
info
->
NameLength
);
if
(
len
>=
*
val_count
)
{
status
=
STATUS_BUFFER_OVERFLOW
;
if
(
*
val_count
)
{
len
=
*
val_count
-
1
;
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
}
}
else
{
RtlUnicodeToMultiByteN
(
value
,
len
,
NULL
,
info
->
Name
,
info
->
NameLength
);
value
[
len
]
=
0
;
*
val_count
=
len
;
}
}
}
else
status
=
STATUS_SUCCESS
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment